Cyber Resilience

CVE-2026-31635

HighUpdated

Published: 24 April 2026

Published
24 April 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 11.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31635 is a high-severity Improper Handling of Length Parameter Inconsistency (CWE-130) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-31635 is a vulnerability in the Linux kernel's RxRPC implementation, specifically in the rxgk_verify_response() function within the rxrpc module. The issue stems from an inverted check on the decoded authenticator length (auth_len), which fails to properly verify that it fits within the remaining packet bytes. As a result, oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), potentially leading to an invalid length in skb_to_sgvec() and triggering a BUG_ON(len) kernel crash. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a crafted RxRPC packet with an oversized authenticator length, the attacker triggers the inverted check, causing the kernel workqueue processing to reach the BUG_ON in skbuff.c, resulting in a kernel panic and denial of service. The impact is limited to availability disruption, with no confidentiality or integrity effects.

The provided kernel stable commit references detail the fix: commits a2567217ade970ecc458144b6be469bc015b23e5, beee051f259acd286fed64c32c2b31e6f5097eb5, and e2f1a80d8b1ed6a5ae585a399c2b46500bdcc305 reject authenticator lengths exceeding the remaining packet payload, preventing the oversized values from propagating to decryption routines. Security practitioners should apply these patches to affected Linux kernel versions supporting RxRPC.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted,…

more

so oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an impossible length and hit BUG_ON(len). Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: RIP: __skb_to_sgvec() [net/core/skbuff.c:5285 (discriminator 1)] Call Trace: skb_to_sgvec() [net/core/skbuff.c:5305] rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] rxgk_verify_response() [net/rxrpc/rxgk.c:1268] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Reject authenticator lengths that exceed the remaining packet payload.

CWE(s)

Related Threats

Threat-Actor AttributionAI

North Korea Hackers Spotted Targeting Job Seekers with macOS Malware
Chinese Hackers Carried Out Country-Level Watering Hole Attack
IndigoZebra (G0136)
IndigoZebra APT Hacking Campaign Targets the Afghan Government

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes remote unauthenticated exploitation of an RxRPC kernel bug via crafted packet, directly causing kernel panic/BUG_ON crash for availability impact. This precisely matches T1499.004 (Endpoint DoS via Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23388Same product: Linux Linux Kernel
CVE-2026-23242Same product: Linux Linux Kernel
CVE-2026-22991Same product: Linux Linux Kernel
CVE-2025-21717Same product: Linux Linux Kernel
CVE-2026-23459Same product: Linux Linux Kernel
CVE-2026-31640Same product: Linux Linux Kernel
CVE-2026-31739Same product: Linux Linux Kernel
CVE-2024-56772Same product: Linux Linux Kernel
CVE-2026-23095Same product: Linux Linux Kernel
CVE-2026-31417Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.16, 7.0 · 6.16.1 — 6.18.23 · 6.19 — 6.19.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation of the inverted authenticator length check flaw through application of the specified Linux kernel patches.

prevent

Enforces validation of information inputs such as RxRPC packet authenticator lengths to reject oversized values before they propagate to decryption and cause kernel crashes.

preventdetect

Protects system availability against denial-of-service attacks exploiting the oversized authenticator length to trigger kernel panic via crafted network packets.

References