{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31696","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.131Z","datePublished":"2026-05-01T13:55:57.485Z","dateUpdated":"2026-05-11T22:13:57.495Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:13:57.495Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix missing validation of ticket length in non-XDR key preparsing\n\nIn rxrpc_preparse(), there are two paths for parsing key payloads: the\nXDR path (for large payloads) and the non-XDR path (for payloads <= 28\nbytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly\nvalidates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR\npath fails to do so.\n\nThis allows an unprivileged user to provide a very large ticket length.\nWhen this key is later read via rxrpc_read(), the total\ntoken size (toksize) calculation results in a value that exceeds\nAFSTOKEN_LENGTH_MAX, triggering a WARN_ON().\n\n[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]\n\nFix this by adding a check in the non-XDR parsing path of rxrpc_preparse()\nto ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,\nbringing it into parity with the XDR parsing logic."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/rxrpc/key.c"],"versions":[{"version":"8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247","lessThan":"1fa36cf495b0023e8475d038535c05e4063211e1","status":"affected","versionType":"git"},{"version":"8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247","lessThan":"4458757c020592a3094366e0fb20457383b42f92","status":"affected","versionType":"git"},{"version":"8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247","lessThan":"ce383ba615339f8eaec646a166d2c2b015bb5ca0","status":"affected","versionType":"git"},{"version":"8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247","lessThan":"a1be1c9ece26cea69654f28b255ff9a7906b897b","status":"affected","versionType":"git"},{"version":"8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247","lessThan":"ac33733b10b484d666f97688561670afd5861383","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/rxrpc/key.c"],"versions":[{"version":"3.17","status":"affected"},{"version":"0","lessThan":"3.17","status":"unaffected","versionType":"semver"},{"version":"6.6.136","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.84","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.25","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.2","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1-rc1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"6.6.136"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"6.12.84"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"6.18.25"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"7.0.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"7.1-rc1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1fa36cf495b0023e8475d038535c05e4063211e1"},{"url":"https://git.kernel.org/stable/c/4458757c020592a3094366e0fb20457383b42f92"},{"url":"https://git.kernel.org/stable/c/ce383ba615339f8eaec646a166d2c2b015bb5ca0"},{"url":"https://git.kernel.org/stable/c/a1be1c9ece26cea69654f28b255ff9a7906b897b"},{"url":"https://git.kernel.org/stable/c/ac33733b10b484d666f97688561670afd5861383"}],"title":"rxrpc: Fix missing validation of ticket length in non-XDR key preparsing","x_generator":{"engine":"bippy-1.2.0"}}}}