PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31641 Linux CVE debrief

The Linux kernel has a vulnerability in the rxrpc module, specifically in the rxrpc_preparse_xdr_yfs_rxgk() function. This function is responsible for loading RxGK tokens. The vulnerability occurs when the function reads raw key and ticket lengths from the XDR token as u32 values and passes them through round_up(x, 4) before validation and allocation. If the raw length is >= 0xfffffffd, round_up() wraps to 0, causing the bounds check and kzalloc to use 0 while the subsequent memcpy copies the original ~4 GiB value, resulting in a heap buffer overflow. This vulnerability can be reached from an unprivileged add_key() call.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-24
Original CVE updated
2026-06-30
Advisory published
2026-04-24
Advisory updated
2026-06-30

Who should care

This vulnerability affects Linux kernel users, particularly those with unprivileged accounts, as it can be exploited to cause a heap buffer overflow. Linux distribution maintainers, system administrators, and users of Linux-based systems should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is caused by the rxrpc_preparse_xdr_yfs_rxgk() function not properly checking the bounds of the raw key and ticket lengths. The function uses round_up(x, 4) to round up the lengths, but this can cause a wrap-around to 0 when the raw length is >= 0xfffffffd. As a result, the bounds check and kzalloc use 0, while the memcpy copies the original large value, causing a heap buffer overflow. The vulnerability can be mitigated by rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, and by sizing the flexible-array allocation from the validated raw key length.

Defensive priority

High priority should be given to patching this vulnerability, as it can be exploited by unprivileged users to cause a heap buffer overflow. Linux distribution maintainers and system administrators should apply the patches as soon as possible.

Recommended defensive actions

  • Apply the patches provided by the Linux kernel maintainers to fix the vulnerability.
  • Update Linux kernel to a version that includes the fix.
  • Monitor systems for potential exploitation attempts.
  • Implement additional security measures, such as restricting access to the add_key() system call.
  • Perform regular vulnerability scans and patch management.

Evidence notes

The vulnerability was discovered and reported by an unknown researcher. The Linux kernel maintainers have provided patches to fix the vulnerability. The vulnerability is tracked as CVE-2026-31641 and has a CVSS score of 7.8.

Official resources

This article was generated with AI assistance based on the supplied source corpus.