CVE-2026-31637
Description
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: reject undecryptable rxkad response tickets
rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded.
A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes.
Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, the rxrpc subsystem fails to check decryption success of rxkad response tickets, allowing an attacker to inject plaintext and cause memory corruption.
Vulnerability
The Linux kernel's rxrpc subsystem contains a flaw in the rxkad_decrypt_ticket() function, which decrypts RXKAD response tickets but fails to verify whether the decryption succeeded via crypto_skcipher_decrypt(). When decryption fails, the parser still processes the decrypted buffer as plaintext, enabling an attacker to inject controlled data into the ticket parsing logic [1][2][3][4].
Exploitation
A remote attacker can send a malformed RESPONSE packet with a non-block-aligned ticket length, causing the decryption operation to fail. Despite the failure, the kernel continues to parse the buffer, treating attacker-controlled bytes as a legitimate ticket [1]. No authentication or user interaction is required, making this vulnerability exploitable over the network with low complexity, as reflected by the CVSS score of 9.8.
Impact
Successful exploitation allows an attacker to drive the ticket parser with arbitrary data, potentially leading to memory corruption, privilege escalation, or denial of service within the kernel's rxrpc context. Given the critical severity, this could result in full system compromise.
Mitigation
The issue is resolved by checking the decrypt result and aborting the connection with RXKADBADTICKET when decryption fails [1][2][3][4]. The fix has been incorporated into stable Linux kernel branches; users should update to the latest kernel version containing the patch.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.22.1,<6.6.135
- cpe:2.3:o:linux:linux_kernel:2.6.22:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/22f6258e7b31dba9bf88dce4e3ee7f0f20072e60nvdPatch
- git.kernel.org/stable/c/47073aab8a3a5a7b41c9bd37d2a3dcbeeccd6c8anvdPatch
- git.kernel.org/stable/c/58fcd1b156152613ba00a064a129fb69507ddd7dnvdPatch
- git.kernel.org/stable/c/a149dcae23309df9de1c3b6b5d468610ef5ab7denvdPatch
- git.kernel.org/stable/c/fe4447cd95623b1cfacc15f280aab73a6d7340b2nvdPatch
News mentions
0No linked articles in our index yet.