Description
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix missing validation of ticket length in non-XDR key preparsing

In rxrpc_preparse(), there are two paths for parsing key payloads: the
XDR path (for large payloads) and the non-XDR path (for payloads <= 28
bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly
validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR
path fails to do so.

This allows an unprivileged user to provide a very large ticket length.
When this key is later read via rxrpc_read(), the total
token size (toksize) calculation results in a value that exceeds
AFSTOKEN_LENGTH_MAX, triggering a WARN_ON().

[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]

Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse()
to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,
bringing it into parity with the XDR parsing logic.
Published: 2026-05-01
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s rxrpc_preparse routine lacks a length validation step in its non‑XDR key‑preparing path. An unprivileged user can submit a key with an excessively large ticket length, causing the kernel to compute a token size that exceeds the defined maximum. The kernel then triggers a WARN_ON message. This flaw aligns with CWE‑190: Integer Overflow or Wraparound, indicating a potential integer overflow that could lead to resource exhaustion or instability.

Affected Systems

All Linux kernel implementations that include the rxrpc module are affected. The advisory does not list specific kernel versions, so any kernel containing the vulnerable code path is at risk until patched.

Risk and Exploitability

The CVSS score is 5.5, and the EPSS score is not available; the vulnerability is also not listed in the CISA KEV catalog. The attack is likely local, as any user with system access can craft a malicious key payload. While the kernel only logs a warning rather than crashing, repeated exploitation could lead to memory over‑commitment and a denial‑of‑service condition. Given the local nature and absence of proven remote exploitation, the overall risk is moderate but the issue should be patched promptly.

Generated by OpenCVE AI on May 2, 2026 at 10:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that contains the patch for CVE-2026-31696.
  • If an immediate upgrade is not possible, disable or restrict services that invoke the rxrpc protocol to prevent the vulnerable code path from being exercised.
  • Continuously monitor kernel logs for the rxrpc WARN_ON message to detect attempted exploitation and confirm remediation effectiveness.

Generated by OpenCVE AI on May 2, 2026 at 10:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 01 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix missing validation of ticket length in non-XDR key preparsing In rxrpc_preparse(), there are two paths for parsing key payloads: the XDR path (for large payloads) and the non-XDR path (for payloads <= 28 bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR path fails to do so. This allows an unprivileged user to provide a very large ticket length. When this key is later read via rxrpc_read(), the total token size (toksize) calculation results in a value that exceeds AFSTOKEN_LENGTH_MAX, triggering a WARN_ON(). [ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc] Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse() to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX, bringing it into parity with the XDR parsing logic.
Title rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T13:55:57.485Z

Reserved: 2026-03-09T15:48:24.131Z

Link: CVE-2026-31696

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:19.403

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31696

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31696 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T21:30:14Z

Weaknesses