Bug 2461520 (CVE-2026-31633)

Summary: CVE-2026-31633 kernel: rxrpc: Fix integer overflow in rxgk_verify_response()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's rxrpc component. A potential integer overflow vulnerability exists in the `rxgk_verify_response()` function. This occurs when the `token_len` value is rounded up before a critical length check, allowing the check to be bypassed. This could potentially lead to unexpected behavior or resource exhaustion, as the response is intended to fit within a single User Datagram Protocol (UDP) packet.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-24 15:06:17 UTC 
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix integer overflow in rxgk_verify_response()

In rxgk_verify_response(), there's a potential integer overflow due to
rounding up token_len before checking it, thereby allowing the length check to
be bypassed.

Fix this by checking the unrounded value against len too (len is limited as
the response must fit in a single UDP packet).
Comment 1 Keith Grant 2026-04-24 20:58:34 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042454-CVE-2026-31633-8b07@gregkh/T