CVE-2026-31635: When the Bounds Check Faced the Wrong Way

A single character in net/rxrpc/rxgk.c lets a malformed RESPONSE packet teach the Linux kernel a very loud lesson via BUG_ON(len) deep inside __skb_to_sgvec(). The fix flips < to >. That is the whole story, and that is exactly why it is worth telling.

The advisory in plain English

The Linux kernel ships an rxrpc transport — the wire protocol underneath AFS — and inside rxrpc there is an optional security class called yfs-rxgk (GSSAPI-flavoured authentication for AuriStor's YFS). When a client sends a RESPONSE packet to complete the handshake, rxgk_verify_response() in net/rxrpc/rxgk.c peels the header, then reads a 4-byte big-endian field giving the length of an encrypted authenticator that should live in the remaining payload. The function is supposed to validate that the declared length fits in the bytes that are actually still in the sk_buff. It doesn't. The comparison is inverted. An attacker who can speak rxrpc to a vulnerable host can therefore declare an authenticator length of, say, 0xFFFFFFFC, watch it sail past the "is this packet too short?" check, and ride it all the way into skb_to_sgvec(), where the kernel reaches BUG_ON(len) and the workqueue panics.

CVSS 7.5 / HIGH. No memory disclosure, no privilege escalation in the advisory text — just an unauthenticated remote kernel oops, which on enterprise kernels (RHEL, SLES) where panic_on_oops=1 is common (or simply because the workqueue dies wedged) is a denial of service. The PoC published by v12-security under the name DirtyDecrypt makes the path reachable from a single crafted packet; I'm not going to disassemble it here — the bug itself is the entire interesting object.

The flawed function

The bookkeeping at the top of rxgk_verify_response() is the kind of careful little ledger that kernel network code does dozens of times per file. offset and len track where we are and how much is left in the skb after we strip off the rxrpc wire header. From net/rxrpc/rxgk.c (mainline at commit a2567217, post-fix):

// net/rxrpc/rxgk.c, rxgk_verify_response()
unsigned int offset = sizeof(struct rxrpc_wire_header);
unsigned int len    = skb->len - sizeof(struct rxrpc_wire_header);

Then a fixed-size response header is copied out, offset advances, len shrinks. Next, four bytes of "encrypted authenticator length" are pulled from wherever we are in the packet:

// same file, same function, a little further down
if (skb_copy_bits(skb, offset, &xauth_len, sizeof(xauth_len)) < 0)
    goto short_packet;
offset += sizeof(xauth_len);
len    -= sizeof(xauth_len);

xauth_len is on-the-wire data. Every byte of it is attacker-controlled. After this point, len is exactly the number of bytes left in the skb that the authenticator could possibly occupy.

Now the check itself — quoted from the pre-fix tree (net/rxrpc/rxgk.c line 1224, blob 01dbdf0b5cf2e, as it appears in the diff of commit a2567217ade970ecc458144b6be469bc015b23e5):

auth_offset = offset;
auth_len    = ntohl(xauth_len);
if (auth_len < len)        // <-- backwards
    goto short_packet;
if (auth_len & 3)
    goto inconsistent;

short_packet is the failure label — it calls rxrpc_abort_conn(..., RXGK_PACKETSHORT, -EPROTO, ...) and bails. So with < here, the function aborts the connection precisely when the declared authenticator is smaller than the remaining payload — i.e. the well-formed case. And it sails through unimpeded when the declared authenticator is larger than the remaining payload — i.e. the malicious case. The label name says one thing; the comparator does the opposite.

There is a clue in the very next line: if (auth_len & 3) goto inconsistent; — a sanity check that authenticators are 4-byte aligned. Right alongside it is if (auth_len < 20 + 9 * 4) goto auth_too_short;, a minimum length check. So the lower bound on auth_len is policed; the upper bound is not. A reviewer skimming the file sees three consecutive validations and thinks "yes, this looks like proper input handling." Only if you read the comparator in line 1 of the trio do you notice the rest of the validations are guarding nothing — by then, an attacker-shaped auth_len has already passed.

Why the check was insufficient

There is a folk taxonomy of "bounds-check bugs" in C, and it has more than one slot. People reach for missing check, which is the easy case: the developer forgot to write the comparison at all. This is not that. There is off-by-one, where < should be <= or vice versa: a one-element overrun. This is not that either. This is bounds-check inversion — the operator itself is reversed — and it tends to slip through review for a specific reason: the line looks defensive. It has the right variables (auth_len, len), the right label (short_packet), the right structural placement (right after the wire decode, before consumption). A code-review eye trained to look for "is there a check?" sees a check and moves on. A compiler will not warn. Coverity, in the kernel's normal configuration, will not flag it. Smatch — Dan Carpenter's kernel-native semantic checker — also misses it: both operands are correctly typed, the branch target looks defensive, and smatch's rules fire on dataflow anomalies rather than operator-direction mismatches. Its sibling sparse (run via make C=1) catches endianness, lock-context, and type errors, but operator-direction sits outside its remit too. Even a fuzzer needs to actually hit the over-length branch and survive the next two validators and propagate the bogus length far enough downstream to detonate before it generates a useful crash report.

What does len mean at this point? It's the number of bytes remaining in the skb after the response header and the length field itself were consumed. So the correct invariant for "this authenticator fits in what's left of the packet" is auth_len <= len. The label short_packet is named from the receiver's perspective — I was told the authenticator is this big, but the packet is too short to hold it. That happens precisely when auth_len > len. The fix is the contrapositive of the original, and that is what the patch is.

What the fix changed

The mainline fix, commit a2567217ade970ecc458144b6be469bc015b23e5, signed off by Keenan Dong and David Howells via the net tree (Jakub Kicinski), is exactly one character of source change:

--- a/net/rxrpc/rxgk.c
+++ b/net/rxrpc/rxgk.c
@@ -1224,7 +1224,7 @@ static int rxgk_verify_response(...)
 	auth_offset = offset;
 	auth_len    = ntohl(xauth_len);
-	if (auth_len < len)
+	if (auth_len > len)
 		goto short_packet;

The other two SHAs in the advisory (e2f1a80d8b1ed6a5ae585a399c2b46500bdcc305 and beee051f259acd286fed64c32c2b31e6f5097eb5) are not follow-up hardening — and I want to be honest about that, because I went in expecting one fix plus two refinements. They are not. The header on both says commit a2567217ade970ecc458144b6be469bc015b23e5 upstream. and both are signed off by Greg Kroah-Hartman — the unmistakable shape of stable-tree backports. The diff body on all three is byte-identical: same one-line flip in net/rxrpc/rxgk.c. The two stable backports apply to the same pre-fix blob (aedcadb4466f7) and produce the same post-fix blob (13ffdc9352b05); mainline operates on a slightly later state (01dbdf0b5cf2e → 9e4a4ff28913c). Two distinct revisions, three commits. So the advisory's three references are: one upstream fix, two stable backports of the same fix. There is no companion patch tightening auth_len & 3, no second commit adding a maximum bound elsewhere, no follow-up CVE. One bit of arithmetic, three trees.

The blast radius downstream of the fix is also worth naming. The reason the bug is a crash and not a quiet over-read is the helper in net/rxrpc/rxgk_common.h:

// net/rxrpc/rxgk_common.h, rxgk_decrypt_skb()
sg_init_table(sg, ARRAY_SIZE(sg));
nr_sg = skb_to_sgvec(skb, sg, *_offset, len);

That len flows directly from auth_len. skb_to_sgvec() walks the fragment list adding scatterlist entries; once it has walked off the end and len is still positive, it hits BUG_ON(len) in __skb_to_sgvec() (per the decoded stacktrace in the commit message). Because rxgk_verify_response() runs from rxrpc_process_connection() on a kernel workqueue, the panic happens in kthread/process_one_work context. There's no user process to blame, no syscall to return -EINVAL to. The kernel just gives up.

The lesson

I think there are two takeaways and I would like to be clear about which is which.

The narrow lesson is that BUG_ON is a downstream amplifier of upstream parsing bugs. Every assertion deep in skb_to_sgvec(), kfifo, the slab allocator, et al. assumes its callers have validated their lengths. A single inverted comparator a thousand lines and three call frames upstream becomes a kernel panic. That is by design — the kernel would rather die than corrupt memory — but it means the cost of any bounds-check defect in a network parser is asymmetric: not "wrong answer," but "off the air."

The broader lesson is a review-hygiene one. Code that looks like a check is not the same as code that performs a check. Reviewers — and static analyzers, and fuzzers, and our own re-reads of patches we wrote at 11pm — pattern-match on the shape of if (a OP b) goto error;. Whether OP is the operator that makes the predicate guard what its label promises to guard is a semantic question that hides inside a syntactic one. A good defence here is to write the predicate in terms of the valid case, not the error case: if (!(auth_len <= len)) goto short_packet; reads aloud as "if it isn't the case that the authenticator fits in what's left, error out," and inversion of the inner predicate produces something that no longer parses as defensive. The patch author chose the simpler character flip, which is fine for a stable backport, but the lasting fix for this class of bug is to teach our hands to write bounds in the positive form. This class of error has clear precedent in kernel network parsers, and we keep relearning the same lesson. (CVE-2021-43267, for instance, reached the TIPC stack's tipc_crypto_key_rcv() via an attacker-supplied key length that sailed past an absent bounds check — different mechanism, same root cause: length from the wire, unvalidated, consumed by a downstream allocator.)

References

• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31635
• Mainline fix (Torvalds tree, commit a2567217): https://git.kernel.org/stable/c/a2567217ade970ecc458144b6be469bc015b23e5
• Stable backport e2f1a80d: https://git.kernel.org/stable/c/e2f1a80d8b1ed6a5ae585a399c2b46500bdcc305
• Stable backport beee051f: https://git.kernel.org/stable/c/beee051f259acd286fed64c32c2b31e6f5097eb5
• Public PoC ("DirtyDecrypt", v12-security): https://github.com/v12-security/pocs/tree/main/dirtydecrypt — not dissected here; the kernel defect is the story.
• Introducing commit (per Fixes: tag) 9d1d2b59341f: "rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)"