{
  "threat_severity" : "Important",
  "public_date" : "2026-04-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: rxrpc: Fix RxGK token loading to check bounds",
    "id" : "2461548",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461548"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-190",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nrxrpc: Fix RxGK token loading to check bounds\nrxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length\nfrom the XDR token as u32 values and passes each through round_up(x, 4)\nbefore using the rounded value for validation and allocation.  When the raw\nlength is >= 0xfffffffd, round_up() wraps to 0, so the bounds check and\nkzalloc both use 0 while the subsequent memcpy still copies the original\n~4 GiB value, producing a heap buffer overflow reachable from an\nunprivileged add_key() call.\nFix this by:\n(1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket\nlengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with\nthe caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX.\n(2) Sizing the flexible-array allocation from the validated raw key\nlength via struct_size_t() instead of the rounded value.\n(3) Caching the raw lengths so that the later field assignments and\nmemcpy calls do not re-read from the token, eliminating a class of\nTOCTOU re-parse.\nThe control path (valid token with lengths within bounds) is unaffected.", "A flaw was found in the Linux kernel's rxrpc subsystem. An unprivileged local user could exploit an integer overflow vulnerability in the `rxrpc_preparse_xdr_yfs_rxgk()` function. This flaw occurs when processing specially crafted key and ticket lengths, causing an incorrect memory allocation size. Consequently, a heap buffer overflow can occur, potentially leading to arbitrary code execution or a denial of service." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-06-20T00:00:00Z",
    "advisory" : "RHSA-2026:27288",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "kernel-0:6.12.0-211.26.1.el10_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31641\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31641\nhttps://lore.kernel.org/linux-cve-announce/2026042457-CVE-2026-31641-2dee@gregkh/T" ],
  "name" : "CVE-2026-31641",
  "csaw" : false
}