CVE-2026-31696

HIGH EPSS 2.9%
Published May 1, 20261mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published May 1, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix missing validation of ticket length in non-XDR key preparsing In rxrpc_preparse(), there are two paths for parsing key payloads: the XDR path (for large payloads) and the non-XDR path (for payloads <= 28 bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR path fails to do so. This allows an unprivileged user to provide a very large ticket length. When this key is later read via rxrpc_read(), the total token size (toksize) calculation results in a value that exceeds AFSTOKEN_LENGTH_MAX, triggering a WARN_ON(). [ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc] Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse() to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX, bringing it into parity with the XDR parsing logic.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel*≥3.17  –  <6.6.136
linuxlinux_kernel*≥6.7  –  <6.12.84
linuxlinux_kernel*≥6.13  –  <6.18.25
linuxlinux_kernel*≥6.19  –  <7.0.2
linuxlinux_kernel7.1any
linuxlinux_kernel7.1any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/1fa36cf495b0023e8475d038535c05e4063211e1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/41a117dd80371343babc52198d1114e83eb37627
  • git.kernel.org https://git.kernel.org/stable/c/4458757c020592a3094366e0fb20457383b42f92
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/44714dfda386884919ba366411880b6fb3c3efd3
  • git.kernel.org https://git.kernel.org/stable/c/9a397aa9b5e53ca63d4d6aefb542832eca389618
  • git.kernel.org https://git.kernel.org/stable/c/a1be1c9ece26cea69654f28b255ff9a7906b897b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ac33733b10b484d666f97688561670afd5861383
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ce383ba615339f8eaec646a166d2c2b015bb5ca0
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1fa36cf495b0023e8475d038535c05e4063211e1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4458757c020592a3094366e0fb20457383b42f92
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a1be1c9ece26cea69654f28b255ff9a7906b897b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ac33733b10b484d666f97688561670afd5861383
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ce383ba615339f8eaec646a166d2c2b015bb5ca0
    Patch