31 matches found
CVE-2026-31636
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgkverifyauthenticator copies authlen bytes into a temporary buffer and then passes p + authlen as the parser limit to rxgkdoverifyauthenticator. Since p is a be32 , that inflate...
DEBIAN-CVE-2026-31636
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgkverifyauthenticator copies authlen bytes into a temporary buffer and then passes p + authlen as the parser limit to rxgkdoverifyauthenticator. Since p is a be32 , that inflate...
CVE-2026-31636
Summary: CVE-2026-31636 affects the Linux kernel rxrpc subsystem. The root cause is in rxgk_verify_authenticator(), which copies auth_len into a temporary buffer and then uses p + auth_len as the parser limit. Because p is a __be32*, this inflates the parser end pointer by four, enabling a slab-o...
EUVD-2026-25529
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgkverifyauthenticator copies authlen bytes into a temporary buffer and then passes p + authlen as the parser limit to rxgkdoverifyauthenticator. Since p is a be32 , that inflate...
CVE-2026-31636 rxrpc: fix RESPONSE authenticator parser OOB read
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgkverifyauthenticator copies authlen bytes into a temporary buffer and then passes p + authlen as the parser limit to rxgkdoverifyauthenticator. Since p is a be32 , that inflate...
CVE-2026-31636
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgkverifyauthenticator copies authlen bytes into a temporary buffer and then passes p + authlen as the parser limit to rxgkdoverifyauthenticator. Since p is a be32 , that inflate...
EUVD-2026-25528
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgkverifyresponse decodes authlen from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE...
CVE-2026-31635 rxrpc: fix oversized RESPONSE authenticator length check
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgkverifyresponse decodes authlen from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE...
CVE-2026-31635
CVE-2026-31635 affects the Linux kernel rxrpc component. The vulnerability stems from an inverted length check in rxgk_verify_response(), where oversized RESPONSE authenticators can be accepted and later cause a contradictory length that leads to a BUG_ON(len) in skb_to_sgvec(). This can crash th...
CVE-2026-31635
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgkverifyresponse decodes authlen from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE...
CVE-2026-31635 rxrpc: fix oversized RESPONSE authenticator length check
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgkverifyresponse decodes authlen from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE...
CVE-2026-31635
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgkverifyresponse decodes authlen from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE...
PT-2026-34988
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgk verify authenticator copies auth len bytes into a temporary buffer and then passes p + auth len as the parser limit to rxgk do verify authenticator. Since p is a be32 , that...
PT-2026-34987
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A memory corruption issue exists in the RxRPC subsystem of the Linux kernel, specifically within the rxgk verify response function. The function incorrectly validates the auth len...
Juniper Junos OS Vulnerability (JSA100056)
The version of Junos OS installed on the remote host is affected by a vulnerability as referenced in the JSA100056 advisory. - RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response Access-Accept, Access-Reject, or Access-Challenge t...
Siemens SCALANCE, RUGGEDCOM, SIPLUS, and SINEC RADIUS Protocol Forgery Attacks (CVE-2024-3596)
RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify responses Access-Reject or Access-Accept using a chosen-prefix collision attack against MD5 Response Authenticator signature. This plugin only works with Tenable.ot. Please visit...
Fortinet Fortigate RADIUS Protocol CVE-2024-3596 (FG-IR-24-255)
The version of Fortigate installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-24-255 advisory. - RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response...
Fortinet FortiWeb RADIUS Protocol CVE-2024-3596 (FG-IR-24-255)
The version of FortiWeb installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-24-255 advisory. - RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response...
Mageia: Security Advisory (MGASA-2024-0385)
The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Updated krb5 packages fix security vulnerability
RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response Access-Accept, Access-Reject, or Access-Challenge to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature. CVE-2024-3596...