rxrpc: Fix missing validation of ticket length in non-XDR key preparsing

CVE	CVE-2026-31696
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-01 14:16:19 UTC
Updated	2026-05-06 19:17:41 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix missing validation of ticket length in non-XDR key preparsing In rxrpc_preparse(), there are two paths for parsing key payloads: the XDR path (for large payloads) and the non-XDR path (for payloads <= 28 bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR path fails to do so. This allows an unprivileged user to provide a very large ticket length. When this key is later read via rxrpc_read(), the total token size (toksize) calculation results in a value that exceeds AFSTOKEN_LENGTH_MAX, triggering a WARN_ON(). [ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc] Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse() to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX, bringing it into parity with the XDR parsing logic.

Primary CVSS: v3.1 7.8 HIGH from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000210000 probability, percentile 0.057670000 (date 2026-05-05)

Problem Types: CWE-787

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247 1fa36cf495b0023e8475d038535c05e4063211e1 git	Not specified
CNA	Linux	Linux	affected 8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247 4458757c020592a3094366e0fb20457383b42f92 git	Not specified
CNA	Linux	Linux	affected 8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247 ce383ba615339f8eaec646a166d2c2b015bb5ca0 git	Not specified
CNA	Linux	Linux	affected 8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247 a1be1c9ece26cea69654f28b255ff9a7906b897b git	Not specified
CNA	Linux	Linux	affected 8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247 ac33733b10b484d666f97688561670afd5861383 git	Not specified
CNA	Linux	Linux	affected 3.17	Not specified
CNA	Linux	Linux	unaffected 3.17 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.136 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.84 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.25 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.2 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1-rc1 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/4458757c020592a3094366e0fb20457383b42f92	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/ce383ba615339f8eaec646a166d2c2b015bb5ca0	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/1fa36cf495b0023e8475d038535c05e4063211e1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/a1be1c9ece26cea69654f28b255ff9a7906b897b	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/ac33733b10b484d666f97688561670afd5861383	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.