CVE-2026-31630
Published: 24 April 2026
Summary
CVE-2026-31630 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31630 is a stack buffer overflow vulnerability in the Linux kernel's RxRPC implementation, specifically within the procfs helpers in net/rxrpc/proc.c. The issue arises because these helpers use fixed 50-byte stack buffers to format local and remote socket addresses via the "%pISpc" specifier. This size is insufficient for the longest possible IPv6-with-port output produced by the kernel's vsprintf formatter in lib/vsprintf.c, particularly for ISATAP addresses, which can generate strings up to 51 bytes including the null terminator, such as "[ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535".
A local attacker with low privileges can exploit this vulnerability by triggering the affected procfs address formatting, as indicated by the CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could allow the attacker to overwrite adjacent stack memory, potentially leading to arbitrary code execution, data corruption, or denial of service with high impacts on confidentiality, integrity, and availability.
The provided kernel stable commit references detail the mitigation, which involves resizing the buffers to accommodate the formatter's maximum textual output and switching the call sites to use scnprintf() for safe bounded formatting. Additional changes in the patch revisions include correcting the changelog to explicitly cite the maximum ISATAP case and refining the proof around the formatting path. Security practitioners should apply these stable kernel updates to affected versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25523
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: rxrpc: proc: size address buffers for %pISpc output The AF_RXRPC procfs helpers format local and remote socket addresses into fixed 50-byte stack buffers with "%pISpc". That is too small for…
more
the longest current-tree IPv6-with-port form the formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a dotted-quad tail not only for v4mapped addresses, but also for ISATAP addresses via ipv6_addr_is_isatap(). As a result, a case such as [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535 is possible with the current formatter. That is 50 visible characters, so 51 bytes including the trailing NUL, which does not fit in the existing char[50] buffers used by net/rxrpc/proc.c. Size the buffers from the formatter's maximum textual form and switch the call sites to scnprintf(). Changes since v1: - correct the changelog to cite the actual maximum current-tree case explicitly - frame the proof around the ISATAP formatting path instead of the earlier mapped-v4 example
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel stack buffer overflow in procfs (RxRPC) allows low-privileged user to trigger overflow for arbitrary code execution, directly enabling privilege escalation via kernel exploit.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the stack buffer overflow vulnerability by requiring identification, reporting, and correction via the kernel patch that resizes buffers and uses scnprintf() for safe formatting.
Implements memory protection mechanisms like stack canaries that directly prevent or detect exploitation of the stack buffer overflow in RxRPC procfs address formatting.
Enables detection of the specific buffer overflow flaw in the Linux kernel's RxRPC procfs through vulnerability scanning, facilitating timely remediation.