CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31641 – rxrpc: Fix RxGK token loading to check bounds
https://notcve.org/view.php?id=CVE-2026-31641
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix RxGK token loading to check bounds rxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length from the XDR token as u32 values and passes each through round_up(x, 4) before using the rounded value for validation and allocation. When the raw length is >= 0xfffffffd, round_up() wraps to 0, so the bounds check and kzalloc both use 0 while the subsequent memcpy still copies the original ~4 GiB value, producing a heap bu... • https://git.kernel.org/stable/c/0ca100ff4df64f5d0f6c1dd5080c3e096786bea6 • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31640 – rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial
https://notcve.org/view.php?id=CVE-2026-31640
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial In rxrpc_post_response(), the code should be comparing the challenge serial number from the cached response before deciding to switch to a newer response, but looks at the newer packet private data instead, rendering the comparison always false. Fix this by switching to look at the older packet. Fix further[1] to substitute the new packet in place of the old one if newe... • https://git.kernel.org/stable/c/5800b1cf3fd8ccab752a101865be1e76dac33142 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31639 – rxrpc: Fix key reference count leak from call->key
https://notcve.org/view.php?id=CVE-2026-31639
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix key reference count leak from call->key When creating a client call in rxrpc_alloc_client_call(), the code obtains a reference to the key. This is never cleaned up and gets leaked when the call is destroyed. Fix this by freeing call->key in rxrpc_destroy_call(). Before the patch, it shows the key reference counter elevated: $ cat /proc/keys | grep afs@54321 1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka $ A... • https://git.kernel.org/stable/c/f3441d4125fc98995858550a5521b8d7daf0504a •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31638 – rxrpc: Only put the call ref if one was acquired
https://notcve.org/view.php?id=CVE-2026-31638
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Only put the call ref if one was acquired rxrpc_input_packet_on_conn() can process a to-client packet after the current client call on the channel has already been torn down. In that case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is no reference to drop. The client-side implicit-end error path does not account for that and unconditionally calls rxrpc_put_call(). This turns a protocol error path into a kernel cra... • https://git.kernel.org/stable/c/5e6ef4f1017c7f844e305283bbd8875af475e2fc • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31637 – rxrpc: reject undecryptable rxkad response tickets
https://notcve.org/view.php?id=CVE-2026-31637
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: reject undecryptable rxkad response tickets rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded. A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes. Check the decrypt result and abort the connection with RXKAD... • https://git.kernel.org/stable/c/17926a79320afa9b95df6b977b40cca6d8713cea •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31636 – rxrpc: fix RESPONSE authenticator parser OOB read
https://notcve.org/view.php?id=CVE-2026-31636
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgk_verify_authenticator() copies auth_len bytes into a temporary buffer and then passes p + auth_len as the parser limit to rxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the parser end pointer by a factor of four and lets malformed RESPONSE authenticators read past the kmalloc() buffer. Decoded from the original latest-net reproduction logs with scripts/decode_stackt... • https://git.kernel.org/stable/c/9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31635 – rxrpc: fix oversized RESPONSE authenticator length check
https://notcve.org/view.php?id=CVE-2026-31635
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an impossible length and hit BUG_ON(len). Decoded from the original latest-net reproduction logs with scripts/... • https://git.kernel.org/stable/c/9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31634 – rxrpc: fix reference count leak in rxrpc_server_keyring()
https://notcve.org/view.php?id=CVE-2026-31634
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix reference count leak in rxrpc_server_keyring() This patch fixes a reference count leak in rxrpc_server_keyring() by checking if rx->securities is already set. • https://git.kernel.org/stable/c/17926a79320afa9b95df6b977b40cca6d8713cea •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31633 – rxrpc: Fix integer overflow in rxgk_verify_response()
https://notcve.org/view.php?id=CVE-2026-31633
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix integer overflow in rxgk_verify_response() In rxgk_verify_response(), there's a potential integer overflow due to rounding up token_len before checking it, thereby allowing the length check to be bypassed. Fix this by checking the unrounded value against len too (len is limited as the response must fit in a single UDP packet). • https://git.kernel.org/stable/c/9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a • CWE-190: Integer Overflow or Wraparound •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31632 – rxrpc: Fix leak of rxgk context in rxgk_verify_response()
https://notcve.org/view.php?id=CVE-2026-31632
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix leak of rxgk context in rxgk_verify_response() Fix rxgk_verify_response() to clean up the rxgk context it creates. • https://git.kernel.org/stable/c/9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a • CWE-401: Missing Release of Memory after Effective Lifetime •