CVE-2026-31635

High

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an impossible length and hit BUG_ON(len). Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: RIP: __skb_to_sgvec() [net/core/skbuff.c:5285 (discriminator 1)] Call Trace: skb_to_sgvec() [net/core/skbuff.c:5305] rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] rxgk_verify_response() [net/rxrpc/rxgk.c:1268] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Reject authenticator lengths that exceed the remaining packet payload.

Package Linux Kernel
Published 2026-04-24
Last modified 2026-05-18
CVSS version 3.1
Patch available
Yes

CVSS 3.1 score

7.5

out of 10
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weakness type

CWE-130

CVE-2026-31635 is classified as CWE-130

See CWE-130 on MITRE CWE for full details on this weakness type.

Affected versions

Linux kernel versions 6.16 and later are affected. Fixed in 6.18.23, 6.19.13, 7.0 and their respective stable series.

Affected from
≥ 6.16
Fixed in
✓ 6.18.23 6.18.x ✓ 6.19.13 6.19.x ✓ 7.0

References

The following references provide additional information about CVE-2026-31635 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Frequently asked questions

  • What is CVE-2026-31635?

    CVE-2026-31635 is a High severity Linux kernel vulnerability with a CVSS score of 7.5 out of 10 . It affects Linux kernel versions from 6.16 onward and has been patched in 6.18.23, 6.19.13 and 7.0. CVE-2026-31635 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

  • What is the CVSS score for CVE-2026-31635?

    CVE-2026-31635 has a CVSS score of 7.5 out of 10, rated High severity (CVSS 3.1). The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H .

  • Is there a patch available for CVE-2026-31635?

    Yes — CVE-2026-31635 has been patched. Fixed versions include 6.18.23, 6.19.13 and 7.0. If you are running Linux kernel 6.16 or later up to the fix versions, apply the relevant patch for your kernel branch.

  • Is CVE-2026-31635 actively exploited?

    No — CVE-2026-31635 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Back to
All CVEs
View on
NVD / NIST