CVE-2026-31635
Published: 24 April 2026
Summary
CVE-2026-31635 is a high-severity Improper Handling of Length Parameter Inconsistency (CWE-130) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-31635 is a vulnerability in the Linux kernel's RxRPC implementation, specifically in the rxgk_verify_response() function within the rxrpc module. The issue stems from an inverted check on the decoded authenticator length (auth_len), which fails to properly verify that it fits within the remaining packet bytes. As a result, oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), potentially leading to an invalid length in skb_to_sgvec() and triggering a BUG_ON(len) kernel crash. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a crafted RxRPC packet with an oversized authenticator length, the attacker triggers the inverted check, causing the kernel workqueue processing to reach the BUG_ON in skbuff.c, resulting in a kernel panic and denial of service. The impact is limited to availability disruption, with no confidentiality or integrity effects.
The provided kernel stable commit references detail the fix: commits a2567217ade970ecc458144b6be469bc015b23e5, beee051f259acd286fed64c32c2b31e6f5097eb5, and e2f1a80d8b1ed6a5ae585a399c2b46500bdcc305 reject authenticator lengths exceeding the remaining packet payload, preventing the oversized values from propagating to decryption routines. Security practitioners should apply these patches to affected Linux kernel versions supporting RxRPC.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25528
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted,…
more
so oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an impossible length and hit BUG_ON(len). Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: RIP: __skb_to_sgvec() [net/core/skbuff.c:5285 (discriminator 1)] Call Trace: skb_to_sgvec() [net/core/skbuff.c:5305] rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] rxgk_verify_response() [net/rxrpc/rxgk.c:1268] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Reject authenticator lengths that exceed the remaining packet payload.
- CWE(s)
Related Threats
Threat-Actor AttributionAI
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote unauthenticated exploitation of an RxRPC kernel bug via crafted packet, directly causing kernel panic/BUG_ON crash for availability impact. This precisely matches T1499.004 (Endpoint DoS via Application or System Exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely remediation of the inverted authenticator length check flaw through application of the specified Linux kernel patches.
Enforces validation of information inputs such as RxRPC packet authenticator lengths to reject oversized values before they propagate to decryption and cause kernel crashes.
Protects system availability against denial-of-service attacks exploiting the oversized authenticator length to trigger kernel panic via crafted network packets.