CVE-2026-31635
rxrpc: fix oversized RESPONSE authenticator length check
Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an impossible length and hit BUG_ON(len). Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: RIP: __skb_to_sgvec() [net/core/skbuff.c:5285 (discriminator 1)] Call Trace: skb_to_sgvec() [net/core/skbuff.c:5305] rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] rxgk_verify_response() [net/rxrpc/rxgk.c:1268] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Reject authenticator lengths that exceed the remaining packet payload.
INFO
Published Date :
April 24, 2026, 3:16 p.m.
Last Modified :
May 18, 2026, 3:16 p.m.
Remotely Exploit :
Yes !
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Solution
- Update the Linux kernel to the latest version.
- Apply the specific patch for rxrpc authenticator length check.
- Verify the fix by testing response authenticator handling.
Public PoC/Exploit Available at Github
CVE-2026-31635 has a 14 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-31635.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-31635 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-31635
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Multi-architecture Linux privilege escalation toolkit with 19 pre-built and runtime-compilable exploits. Auto-detects kernel version, filters patched exploits, tries each until root.
ctf cybersecurity exploit gtfobins kernel-exploit linux penetration-testing privilege-escalation security
Makefile Shell C Go
Патч-скрипты для устранения критических уязвимостей (Copy Fail, Dirty Frag, PinTheft, GRO Frag) в РЕД ОС 7.3 и РЕД ОС 8.0
fstec linux-kernel security-scripts red-os cve-mitigation
Shell
A Go implementation of dirtydecrypt (CVE-2026-31635)
Go
None
Makefile C Assembly
Linux local privilege escalation PoCs and mitigations.
C Makefile
Exploit for DirtyDecrypt - CVE-2026-31635 Local Privilege Escalation
C
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
CVE-2026-31635
C
Audit CVE impact, patch status, remediation progress, and verification results across systems.
Makefile Go
Linux Privilege Escalation Framework — comprehensive privilege escalation vector analysis. The **π** motif reflects the ratio *C/d* (circumference to diameter): mapping attack surface to effective privilege boundaries.
linux privelage-escalation privileges shell-script cve-2026-31431 cve-2026-41651 cve-2026-43284 cve-2026-43500 cve-2026-46243 cve-2026-46300 cve-2026-46333 cve-2026-31635
Makefile Shell Go Template Python
SecDB - Security Feeds
cve security-feeds vulnerability
OSCP Cheat Sheet
oscp oscp-guide cheat-sheet cheatsheet offensive offensive-security offsec penetration-testing pentesting security oscp-plus
Python Shell C PHP PowerShell ASP.NET
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-31635 vulnerability anywhere in the article.
-
The Hacker News
Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited
Google on Monday released patches for 124 security vulnerabilities impacting its Android operating system for the month of June 2026, including one high-severity flaw in the Framework component that h ... Read more
-
The Hacker News
Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine
The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation. Per S ... Read more
-
The Hacker News
Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw impacting Oracle WebLogic Server to its Known Exploited Vulnerabilities (KEV) Catalog, ba ... Read more
-
The Hacker News
Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts
Threat actors are attempting to actively exploit a critical security flaw impacting WP Maps Pro, a WordPress plugin that has had over 15,000 sales on the Envato Market, to create malicious administrat ... Read more
-
The Hacker News
PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as C ... Read more
-
The Hacker News
Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible ... Read more
-
The Hacker News
Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware. "The campaign a ... Read more
-
The Hacker News
Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal
Microsoft has come out strongly in favor of Coordinated Vulnerability Disclosure (CVD), urging the research community to share their findings and give affected vendors an opportunity to better underst ... Read more
-
The Hacker News
ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More
Every time you think the industry has finally stopped doing some reckless, low-effort crap, somebody spins up a fresh box full of sketchy loaders, fake installers, recycled social-engineering bait, an ... Read more
-
The Hacker News
AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites
Microsoft has warned of an active cryptojacking campaign that makes use of artificial intelligence (AI) chatbot interactions as a mechanism for surfacing malicious download sites. "This emerging deliv ... Read more
-
The Hacker News
Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions
Microsoft has rolled out updates to fix a remote code execution vulnerability impacting SharePoint that could be exploited by bad actors in attacks without requiring any specialized conditions to be m ... Read more
-
The Hacker News
KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike
A now-patched high-severity security flaw affecting Digital Knowledge KnowledgeDeliver, a Learning Management System (LMS) popular in Japan, was exploited as a zero-day to deliver the Godzilla web she ... Read more
-
The Hacker News
Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks. According to QiAnXin XLab, the activity ... Read more
-
CybersecurityNews
DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released
A working proof-of-concept (PoC) exploit for a high-severity Linux kernel local privilege escalation vulnerability dubbed DirtyDecrypt, also tracked as DirtyCBC, enables local attackers to gain full r ... Read more
The following table lists the changes that have been made to the
CVE-2026-31635 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
May. 18, 2026
Action Type Old Value New Value Added CWE CWE-130 Added Reference https://github.com/v12-security/pocs/tree/main/dirtydecrypt -
Initial Analysis by [email protected]
Apr. 27, 2026
Action Type Old Value New Value Added CWE NVD-CWE-noinfo Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.19 up to (excluding) 6.19.13 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.16.1 up to (excluding) 6.18.23 Added Reference Type kernel.org: https://git.kernel.org/stable/c/a2567217ade970ecc458144b6be469bc015b23e5 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/beee051f259acd286fed64c32c2b31e6f5097eb5 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/e2f1a80d8b1ed6a5ae585a399c2b46500bdcc305 Types: Patch -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Apr. 27, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H -
New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Apr. 24, 2026
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an impossible length and hit BUG_ON(len). Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: RIP: __skb_to_sgvec() [net/core/skbuff.c:5285 (discriminator 1)] Call Trace: skb_to_sgvec() [net/core/skbuff.c:5305] rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] rxgk_verify_response() [net/rxrpc/rxgk.c:1268] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Reject authenticator lengths that exceed the remaining packet payload. Added Reference https://git.kernel.org/stable/c/a2567217ade970ecc458144b6be469bc015b23e5 Added Reference https://git.kernel.org/stable/c/beee051f259acd286fed64c32c2b31e6f5097eb5 Added Reference https://git.kernel.org/stable/c/e2f1a80d8b1ed6a5ae585a399c2b46500bdcc305