CVE-2026-31696
Received Received - Intake
Buffer Overflow in Linux Kernel rxrpc

Publication date: 2026-05-01

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix missing validation of ticket length in non-XDR key preparsing In rxrpc_preparse(), there are two paths for parsing key payloads: the XDR path (for large payloads) and the non-XDR path (for payloads <= 28 bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR path fails to do so. This allows an unprivileged user to provide a very large ticket length. When this key is later read via rxrpc_read(), the total token size (toksize) calculation results in a value that exceeds AFSTOKEN_LENGTH_MAX, triggering a WARN_ON(). [ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc] Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse() to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX, bringing it into parity with the XDR parsing logic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31696
EUVD
EUVD-2026-26505
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.84 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.25 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.2 (exc)
linux linux_kernel From 3.17 (inc) to 6.6.136 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability allows an unprivileged user to supply a very large ticket length that is not properly validated. This can lead to a kernel warning (WARN_ON()) due to an overflow in token size calculation. While the description does not explicitly mention exploitation beyond triggering warnings, such kernel warnings can potentially lead to system instability or denial of service conditions.

Executive Summary

This vulnerability exists in the Linux kernel's rxrpc component, specifically in the function rxrpc_preparse(). There are two paths for parsing key payloads: the XDR path for large payloads and the non-XDR path for smaller payloads (28 bytes or less). While the XDR path correctly validates the ticket length, the non-XDR path does not. This allows an unprivileged user to provide an excessively large ticket length, which later causes a calculation overflow and triggers a warning in the kernel.

Detection Guidance

This vulnerability triggers a kernel warning when exploited, specifically a WARN_ON() in the rxrpc_read() function due to an invalid ticket length exceeding AFSTOKEN_LENGTH_MAX.

To detect this vulnerability on your system, you can monitor your kernel logs for warnings related to rxrpc_read and ticket length issues.

  • Use the command: dmesg | grep 'rxrpc_read' to check for relevant kernel warnings.
  • Alternatively, check system logs with: journalctl -k | grep 'rxrpc_read'
Mitigation Strategies

The vulnerability is fixed by adding validation in the non-XDR parsing path to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX.

Immediate mitigation steps include updating your Linux kernel to a version that contains this fix.

Until the update is applied, monitor kernel logs for warnings indicating exploitation attempts and restrict unprivileged user access to the rxrpc subsystem if possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31696. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart