CVE-2026-31630

HIGH EPSS 3.1%
Published Apr 24, 20262mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: proc: size address buffers for %pISpc output The AF_RXRPC procfs helpers format local and remote socket addresses into fixed 50-byte stack buffers with "%pISpc". That is too small for the longest current-tree IPv6-with-port form the formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a dotted-quad tail not only for v4mapped addresses, but also for ISATAP addresses via ipv6_addr_is_isatap(). As a result, a case such as [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535 is possible with the current formatter. That is 50 visible characters, so 51 bytes including the trailing NUL, which does not fit in the existing char[50] buffers used by net/rxrpc/proc.c. Size the buffers from the formatter's maximum textual form and switch the call sites to scnprintf(). Changes since v1: - correct the changelog to cite the actual maximum current-tree case explicitly - frame the proof around the ISATAP formatting path instead of the earlier mapped-v4 example

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
3.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 10

VendorProductVersionRange
linuxlinux_kernel*≥4.9.1  –  <6.18.23
linuxlinux_kernel*≥6.19  –  <6.19.13
linuxlinux_kernel4.9any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 6

  • git.kernel.org https://git.kernel.org/stable/c/10ebed83f9f6414af4e85bc85ffaeda7effdd874
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/235b2115de892eab2e107a42efa7a4347baaa80b
  • git.kernel.org https://git.kernel.org/stable/c/386c86412608d3449006a318a662cbcd6ca1f668
  • git.kernel.org https://git.kernel.org/stable/c/625af53a1564e31bb2df9adc3739df46137f46c1
  • git.kernel.org https://git.kernel.org/stable/c/a44ce6aa2efb61fe44f2cfab72bb01544bbca272
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/db297c78ce537c9ac96f0eda9b25ad72c8caefa9
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/10ebed83f9f6414af4e85bc85ffaeda7effdd874
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a44ce6aa2efb61fe44f2cfab72bb01544bbca272
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/db297c78ce537c9ac96f0eda9b25ad72c8caefa9
    Patch