Lucene search
+L

34 matches found

redhat
redhat
added 2026/06/25 11:21 p.m.6 views

kernel: rxrpc: fix RESPONSE authenticator parser OOB read

A flaw was found in the Linux kernel's rxrpc subsystem. A remote attacker could send a specially crafted rxrpc RESPONSE authenticator that, due to an incorrect parser limit calculation in the rxgkverifyauthenticator function, leads to a slab-out-of-bounds read. This memory corruption vulnerabilit...

9.1CVSS5.8AI score0.00442EPSS
Exploits0References5
nvd
nvd
added 2026/04/24 3:16 p.m.5 views

CVE-2026-31636

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgkverifyauthenticator copies authlen bytes into a temporary buffer and then passes p + authlen as the parser limit to rxgkdoverifyauthenticator. Since p is a be32 , that inflate...

9.1CVSS0.00442EPSS
Exploits0References3
osv
osv
added 2026/04/24 3:16 p.m.5 views

DEBIAN-CVE-2026-31636

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgkverifyauthenticator copies authlen bytes into a temporary buffer and then passes p + authlen as the parser limit to rxgkdoverifyauthenticator. Since p is a be32 , that inflate...

9.1CVSS5.6AI score0.00442EPSS
Exploits0References1
euvd
euvd
added 2026/04/24 2:44 p.m.6 views

EUVD-2026-25529

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgkverifyauthenticator copies authlen bytes into a temporary buffer and then passes p + authlen as the parser limit to rxgkdoverifyauthenticator. Since p is a be32 , that inflate...

5.5AI score0.00442EPSS
Exploits0References3
cvelist
cvelist
added 2026/04/24 2:44 p.m.40 views

CVE-2026-31636 rxrpc: fix RESPONSE authenticator parser OOB read

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgkverifyauthenticator copies authlen bytes into a temporary buffer and then passes p + authlen as the parser limit to rxgkdoverifyauthenticator. Since p is a be32 , that inflate...

9.1CVSS0.00442EPSS
Exploits0References3
osv
osv
added 2026/04/24 2:44 p.m.1 views

CVE-2026-31636 rxrpc: fix RESPONSE authenticator parser OOB read

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgkverifyauthenticator copies authlen bytes into a temporary buffer and then passes p + authlen as the parser limit to rxgkdoverifyauthenticator. Since p is a be32 , that inflate...

9.1CVSS6.6AI score0.00442EPSS
Exploits0References6
debiancve
debiancve
added 2026/04/24 2:44 p.m.4 views

CVE-2026-31636

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgkverifyauthenticator copies authlen bytes into a temporary buffer and then passes p + authlen as the parser limit to rxgkdoverifyauthenticator. Since p is a be32 , that inflate...

9.1CVSS5.5AI score0.00442EPSS
Exploits0
cve
cve
added 2026/04/24 2:44 p.m.51 views

CVE-2026-31636

Summary: CVE-2026-31636 affects the Linux kernel rxrpc subsystem. The root cause is in rxgk_verify_authenticator(), which copies auth_len into a temporary buffer and then uses p + auth_len as the parser limit. Because p is a __be32*, this inflates the parser end pointer by four, enabling a slab-o...

9.1CVSS5.5AI score0.00442EPSS
Exploits0References3Affected Software1
cvelist
cvelist
added 2026/04/24 2:44 p.m.39 views

CVE-2026-31635 rxrpc: fix oversized RESPONSE authenticator length check

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgkverifyresponse decodes authlen from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE...

7.5CVSS0.00817EPSS
Exploits4References3
debiancve
debiancve
added 2026/04/24 2:44 p.m.5 views

CVE-2026-31635

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgkverifyresponse decodes authlen from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE...

7.5CVSS5.2AI score0.00817EPSS
Exploits4
euvd
euvd
added 2026/04/24 2:44 p.m.7 views

EUVD-2026-25528

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgkverifyresponse decodes authlen from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE...

5.4AI score0.00817EPSS
Exploits4References3
vulnrichment
vulnrichment
added 2026/04/24 2:44 p.m.5 views

CVE-2026-31635 rxrpc: fix oversized RESPONSE authenticator length check

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgkverifyresponse decodes authlen from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE...

7.5CVSS5.8AI score0.00817EPSS
Exploits4References3
attackerkb
attackerkb
added 2026/04/24 2:44 p.m.2 views

CVE-2026-31635

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgkverifyresponse decodes authlen from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE...

5.4AI score0.00817EPSS
Exploits4References4Affected Software1
cve
cve
added 2026/04/24 2:44 p.m.136 views

CVE-2026-31635

CVE-2026-31635 affects the Linux kernel rxrpc component. The vulnerability stems from an inverted length check in rxgk_verify_response(), where oversized RESPONSE authenticators can be accepted and later cause a contradictory length that leads to a BUG_ON(len) in skb_to_sgvec(). This can crash th...

7.5CVSS5.4AI score0.00817EPSS
Exploits4References4Affected Software1
osv
osv
added 2026/04/24 2:44 p.m.1 views

CVE-2026-31635 rxrpc: fix oversized RESPONSE authenticator length check

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgkverifyresponse decodes authlen from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE...

7.5CVSS6.8AI score0.00817EPSS
Exploits4References7
ptsecurity
ptsecurity
added 2026/04/24 12:0 a.m.6 views

PT-2026-34988

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An out-of-bounds read exists in the rxrpc component. The function rxgk verify authenticator copies auth len bytes into a temporary buffer and passes the parser limit to rxgk do verify...

9.1CVSS7.4AI score0.00442EPSS
Exploits0References32
nessus
nessus
added 2026/04/08 12:0 a.m.13 views

Juniper Junos OS Vulnerability (JSA100056)

The version of Junos OS installed on the remote host is affected by a vulnerability as referenced in the JSA100056 advisory. - RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response Access-Accept, Access-Reject, or Access-Challenge t...

9CVSS7AI score0.14859EPSS
Exploits2References2
ptsecurity
ptsecurity
added 2026/04/08 12:0 a.m.6 views

PT-2026-34987

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A memory corruption issue exists in the RxRPC subsystem of the Linux kernel, specifically within the rxgk verify response function. The function incorrectly validates the auth len...

9.4CVSS6.5AI score0.00817EPSS
Exploits4References158
nessus
nessus
added 2025/06/27 12:0 a.m.6 views

Siemens SCALANCE, RUGGEDCOM, SIPLUS, and SINEC RADIUS Protocol Forgery Attacks (CVE-2024-3596)

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify responses Access-Reject or Access-Accept using a chosen-prefix collision attack against MD5 Response Authenticator signature. This plugin only works with Tenable.ot. Please visit...

9CVSS7.1AI score0.14859EPSS
Exploits2References24
nessus
nessus
added 2025/03/07 12:0 a.m.29 views

Fortinet Fortigate RADIUS Protocol CVE-2024-3596 (FG-IR-24-255)

The version of Fortigate installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-24-255 advisory. - RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response...

9CVSS8AI score0.14859EPSS
Exploits2References4
Rows per page
Query Builder