DEBIAN-CVE-2026-31636

In the Linux kernel, the following vulnerability has been resolved:  rxrpc: fix RESPONSE authenticator parser OOB read  rxgkverifyauthenticator() copies authlen bytes into a temporary buffer and then passes p + authlen as the parser limit to rxgkdoverifyauthenticator(). Since p is a be32 *, that inflates the parser end pointer by a factor of four and lets malformed RESPONSE authenticators read past the kmalloc() buffer.  Decoded from the original latest-net reproduction logs with scripts/decodestacktrace.sh:  BUG: KASAN: slab-out-of-bounds in rxgkverifyresponse() Call Trace:  dumpstacklvl() [lib/dumpstack.c:123]  printreport() [mm/kasan/report.c:379 mm/kasan/report.c:482]  kasanreport() [mm/kasan/report.c:597]  rxgkverifyresponse()    [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167     net/rxrpc/rxgk.c:1274]  rxrpcprocessconnection()    [net/rxrpc/connevent.c:266 net/rxrpc/connevent.c:364     net/rxrpc/connevent.c:386]  processonework() [kernel/workqueue.c:3281]  workerthread()    [kernel/workqueue.c:3353 kernel/workqueue.c:3440]  kthread() [kernel/kthread.c:436]  retfromfork() [arch/x86/kernel/process.c:164]  Allocated by task 54:  rxgkverifyresponse()    [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155     net/rxrpc/rxgk.c:1274]  rxrpcprocessconnection()    [net/rxrpc/connevent.c:266 net/rxrpc/connevent.c:364     net/rxrpc/connevent.c:386]  Convert the byte count to __be32 units before constructing the parser limit.