{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31630", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.124Z", "datePublished": "2026-04-24T14:44:46.606Z", "dateUpdated": "2026-05-11T22:12:31.832Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:12:31.832Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: proc: size address buffers for %pISpc output\n\nThe AF_RXRPC procfs helpers format local and remote socket addresses into\nfixed 50-byte stack buffers with \"%pISpc\".\n\nThat is too small for the longest current-tree IPv6-with-port form the\nformatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a\ndotted-quad tail not only for v4mapped addresses, but also for ISATAP\naddresses via ipv6_addr_is_isatap().\n\nAs a result, a case such as\n\n [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535\n\nis possible with the current formatter. That is 50 visible characters, so\n51 bytes including the trailing NUL, which does not fit in the existing\nchar[50] buffers used by net/rxrpc/proc.c.\n\nSize the buffers from the formatter's maximum textual form and switch the\ncall sites to scnprintf().\n\nChanges since v1:\n- correct the changelog to cite the actual maximum current-tree case\n explicitly\n- frame the proof around the ISATAP formatting path instead of the earlier\n mapped-v4 example"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/rxrpc/proc.c"], "versions": [{"version": "75b54cb57ca34cbe7a87c6ac757c55360a624590", "lessThan": "db297c78ce537c9ac96f0eda9b25ad72c8caefa9", "status": "affected", "versionType": "git"}, {"version": "75b54cb57ca34cbe7a87c6ac757c55360a624590", "lessThan": "10ebed83f9f6414af4e85bc85ffaeda7effdd874", "status": "affected", "versionType": "git"}, {"version": "75b54cb57ca34cbe7a87c6ac757c55360a624590", "lessThan": "a44ce6aa2efb61fe44f2cfab72bb01544bbca272", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/rxrpc/proc.c"], "versions": [{"version": "4.9", "status": "affected"}, {"version": "0", "lessThan": "4.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/db297c78ce537c9ac96f0eda9b25ad72c8caefa9"}, {"url": "https://git.kernel.org/stable/c/10ebed83f9f6414af4e85bc85ffaeda7effdd874"}, {"url": "https://git.kernel.org/stable/c/a44ce6aa2efb61fe44f2cfab72bb01544bbca272"}], "title": "rxrpc: proc: size address buffers for %pISpc output", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "59855615-6720-4D3F-83EB-B5CCFD90FBD3", "versionEndExcluding": "6.18.23", "versionStartIncluding": "4.9.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.9:-:*:*:*:*:*:*", "matchCriteriaId": "592761F7-6672-484E-8490-1187F4CDD13E", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: proc: size address buffers for %pISpc output\n\nThe AF_RXRPC procfs helpers format local and remote socket addresses into\nfixed 50-byte stack buffers with \"%pISpc\".\n\nThat is too small for the longest current-tree IPv6-with-port form the\nformatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a\ndotted-quad tail not only for v4mapped addresses, but also for ISATAP\naddresses via ipv6_addr_is_isatap().\n\nAs a result, a case such as\n\n [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535\n\nis possible with the current formatter. That is 50 visible characters, so\n51 bytes including the trailing NUL, which does not fit in the existing\nchar[50] buffers used by net/rxrpc/proc.c.\n\nSize the buffers from the formatter's maximum textual form and switch the\ncall sites to scnprintf().\n\nChanges since v1:\n- correct the changelog to cite the actual maximum current-tree case\n explicitly\n- frame the proof around the ISATAP formatting path instead of the earlier\n mapped-v4 example"}], "id": "CVE-2026-31630", "lastModified": "2026-04-27T20:30:55.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:42.323", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/10ebed83f9f6414af4e85bc85ffaeda7effdd874"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a44ce6aa2efb61fe44f2cfab72bb01544bbca272"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/db297c78ce537c9ac96f0eda9b25ad72c8caefa9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: rxrpc: proc: size address buffers for %pISpc output", "id": "2461545", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461545"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-131", "details": ["A flaw was found in the Linux kernel, specifically within the rxrpc component. The AF_RXRPC procfs helpers use fixed-size buffers to format local and remote socket addresses. When processing certain IPv6 addresses with ports, the formatted string can exceed the buffer's capacity, leading to a buffer overflow. This memory corruption vulnerability can cause system instability or a denial of service (DoS)."], "name": "CVE-2026-31630", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31630\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31630\nhttps://lore.kernel.org/linux-cve-announce/2026042453-CVE-2026-31630-4218@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[75b54cb57ca34cbe7a87c6ac757c55360a624590,db297c78ce537c9ac96f0eda9b25ad72c8caefa9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[75b54cb57ca34cbe7a87c6ac757c55360a624590,10ebed83f9f6414af4e85bc85ffaeda7effdd874)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[75b54cb57ca34cbe7a87c6ac757c55360a624590,a44ce6aa2efb61fe44f2cfab72bb01544bbca272)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.9"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,4.9)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.23,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.13,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T20:07:25.521619+00:00", "value": {"mitigation_remediation": ["Apply the latest kernel update that includes the buffer\u2011resize patch for AF_RXRPC procfs output (e.g., upgrade to a kernel containing commit 10ebed83f9f...).", "If an official distribution update is unavailable, rebuild the kernel from source with the upstream commit applied and install the patched kernel image.", "After installing the patched kernel, restart any services that use AF_RXRPC networking and, if feasible, disable AF_RXRPC usage on systems where it is not required to minimize exposure until the kernel patch is in place."], "summary": {"action": "Apply Patch", "impact": "Stack-based buffer overflow in Linux kernel AF_RXRPC procfs output"}, "threat_synthesis": {"affected_systems": "All kernel releases that include the original AF_RXRPC procfs code with the 50\u2011byte buffer are vulnerable. The CPE data lists kernel version 4.9 and all 7.0 release candidates up to rc7, so any distribution shipping those kernels without the upstream patch is affected until a fix is applied.", "description_and_impact": "The Linux kernel formats AF_RXRPC socket addresses into a fixed 50\u2011byte stack buffer using the %pISpc conversion specifier. For certain IPv6\u2013to\u2011IPv4 mapped or ISATAP addresses, the string representation can be 50 characters long, requiring 51 bytes when the terminating NUL byte is added. Because the buffer is only 50 bytes, the formatting operation overflows the stack, corrupting kernel memory. This defect can cause a kernel crash, random kernel state changes, or other unpredictable behavior, but does not provide direct code execution or clear privilege escalation from the information supplied.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity, while the EPSS score of <1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits. Exploitation depends on the kernel formatting an oversized address representation, a condition that is not trivially engineered remotely, so the practical risk is high severity but low exploitation probability."}}}}, "created": "2026-04-27T18:45:11.325592+00:00", "updated": "2026-04-28T20:15:26.812647+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}