CVE-2026-31719
Received Received - Intake
Linux Kernel KRB5 Encryption Hash Verification Bypass

Publication date: 2026-05-01

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: crypto: krb5enc - fix async decrypt skipping hash verification krb5enc_dispatch_decrypt() sets req->base.complete as the skcipher callback, which is the caller's own completion handler. When the skcipher completes asynchronously, this signals "done" to the caller without executing krb5enc_dispatch_decrypt_hash(), completely bypassing the integrity verification (hash check). Compare with the encrypt path which correctly uses krb5enc_encrypt_done as an intermediate callback to chain into the hash computation on async completion. Fix by adding krb5enc_decrypt_done as an intermediate callback that chains into krb5enc_dispatch_decrypt_hash() upon async skcipher completion, matching the encrypt path's callback pattern. Also fix EBUSY/EINPROGRESS handling throughout: remove krb5enc_request_complete() which incorrectly swallowed EINPROGRESS notifications that must be passed up to callers waiting on backlogged requests, and add missing EBUSY checks in krb5enc_encrypt_ahash_done for the dispatch_encrypt return value. Unset MAY_BACKLOG on the async completion path so the user won't see back-to-back EINPROGRESS notifications.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31719
EUVD
EUVD-2026-26528
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel From 6.19 (inc) to 7.0.2 (exc)
linux linux_kernel From 6.15 (inc) to 6.18.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's crypto subsystem, specifically in the krb5enc encryption module. The issue is that during asynchronous decryption, the completion callback skips the hash verification step, which is essential for ensuring data integrity. The function krb5enc_dispatch_decrypt() sets the completion callback to the caller's own handler, which causes the hash verification function krb5enc_dispatch_decrypt_hash() to be bypassed when the decryption completes asynchronously. This means the integrity check is not performed, potentially allowing corrupted or tampered data to be accepted as valid.

The fix involves adding an intermediate callback, krb5enc_decrypt_done, that ensures the hash verification is executed after asynchronous decryption completes, aligning the decrypt path with the encrypt path's correct callback chaining. Additional fixes address error handling related to EBUSY and EINPROGRESS states to properly manage backlogged requests.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing data integrity verification to be bypassed during asynchronous decryption operations in the Linux kernel's krb5enc module. Without proper hash verification, corrupted or maliciously altered data could be accepted as valid, potentially leading to security issues such as data tampering or unauthorized data manipulation.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by fixing the asynchronous decrypt path in the krb5enc crypto module. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

  • Apply the latest Linux kernel updates that address the krb5enc async decrypt hash verification issue.
  • Restart affected services or systems after applying the kernel update to ensure the fix is active.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart