Cyber Resilience

CVE-2026-31630

HighUpdated

Published: 24 April 2026

Published
24 April 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31630 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31630 is a stack buffer overflow vulnerability in the Linux kernel's RxRPC implementation, specifically within the procfs helpers in net/rxrpc/proc.c. The issue arises because these helpers use fixed 50-byte stack buffers to format local and remote socket addresses via the "%pISpc" specifier. This size is insufficient for the longest possible IPv6-with-port output produced by the kernel's vsprintf formatter in lib/vsprintf.c, particularly for ISATAP addresses, which can generate strings up to 51 bytes including the null terminator, such as "[ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535".

A local attacker with low privileges can exploit this vulnerability by triggering the affected procfs address formatting, as indicated by the CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could allow the attacker to overwrite adjacent stack memory, potentially leading to arbitrary code execution, data corruption, or denial of service with high impacts on confidentiality, integrity, and availability.

The provided kernel stable commit references detail the mitigation, which involves resizing the buffers to accommodate the formatter's maximum textual output and switching the call sites to use scnprintf() for safe bounded formatting. Additional changes in the patch revisions include correcting the changelog to explicitly cite the maximum ISATAP case and refining the proof around the formatting path. Security practitioners should apply these stable kernel updates to affected versions.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: rxrpc: proc: size address buffers for %pISpc output The AF_RXRPC procfs helpers format local and remote socket addresses into fixed 50-byte stack buffers with "%pISpc". That is too small for…

more

the longest current-tree IPv6-with-port form the formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a dotted-quad tail not only for v4mapped addresses, but also for ISATAP addresses via ipv6_addr_is_isatap(). As a result, a case such as [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535 is possible with the current formatter. That is 50 visible characters, so 51 bytes including the trailing NUL, which does not fit in the existing char[50] buffers used by net/rxrpc/proc.c. Size the buffers from the formatter's maximum textual form and switch the call sites to scnprintf(). Changes since v1: - correct the changelog to cite the actual maximum current-tree case explicitly - frame the proof around the ISATAP formatting path instead of the earlier mapped-v4 example

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel stack buffer overflow in procfs (RxRPC) allows low-privileged user to trigger overflow for arbitrary code execution, directly enabling privilege escalation via kernel exploit.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.9, 7.0 · 4.9.1 — 6.18.23 · 6.19 — 6.19.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the stack buffer overflow vulnerability by requiring identification, reporting, and correction via the kernel patch that resizes buffers and uses scnprintf() for safe formatting.

preventdetect

Implements memory protection mechanisms like stack canaries that directly prevent or detect exploitation of the stack buffer overflow in RxRPC procfs address formatting.

detect

Enables detection of the specific buffer overflow flaw in the Linux kernel's RxRPC procfs through vulnerability scanning, facilitating timely remediation.

References