Description
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: reject undecryptable rxkad response tickets

rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then
parses the buffer as plaintext without checking whether
crypto_skcipher_decrypt() succeeded.

A malformed RESPONSE can therefore use a non-block-aligned ticket
length, make the decrypt operation fail, and still drive the ticket
parser with attacker-controlled bytes.

Check the decrypt result and abort the connection with RXKADBADTICKET
when ticket decryption fails.
Published: 2026-04-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the Linux kernel’s rxrpc module allows an attacker to craft a malformed RXKAD response ticket that fails decryption but is still parsed as plaintext. Because the kernel does not verify that the decryption succeeded, the parser can be fed attacker‑controlled data, potentially leading to arbitrary code execution or kernel memory corruption. This flaw falls under CWE‑252 (Unchecked Return Value) and NVD‑CWE‑noinfo indicates no further classification.

Affected Systems

The issue affects all Linux kernel releases that include the rxrpc subsystem before the mitigations were applied, including Linux kernel 2.6.22 and the 7.0 release candidates (rc1 through rc7).

Risk and Exploitability

With a CVSS score of 9.8 the weakness is deemed critical. The EPSS score of less than 1% suggests a low probability of widespread exploitation, yet the failure is not listed in CISA’s KEV catalog, indicating it remains a known but not actively leveraged vulnerability. Attackers would need to send a specially crafted RXKAD response over the network to a system that uses the rxrpc protocol, and the kernel would abort the connection only after the malformed ticket is processed. This remote network attack path makes the vulnerability especially relevant for servers or services that expose the rxrpc interface to untrusted hosts.

Generated by OpenCVE AI on April 28, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version in which the rxrpc patch—to check the decryption result and reject invalid tickets—is applied. The patch is referenced in the commit series linked in the CVE references.
  • If an upgrade cannot be performed immediately, restrict rxrpc traffic from untrusted networks by applying firewall rules that only allow connections to known, trusted hosts.
  • Continuously monitor system logs for RXKADBADTICKET events and investigate any anomalous connection attempts to detect potential exploitation attempts.

Generated by OpenCVE AI on April 28, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:2.6.22:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-252
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rxrpc: reject undecryptable rxkad response tickets rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded. A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes. Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails.
Title rxrpc: reject undecryptable rxkad response tickets
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:12:39.924Z

Reserved: 2026-03-09T15:48:24.125Z

Link: CVE-2026-31637

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:43.020

Modified: 2026-04-27T20:20:48.030

Link: CVE-2026-31637

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31637 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:00:16Z

Weaknesses