CVE-2026-31637
CRITICALrxrpc: reject undecryptable rxkad response tickets
Title source: cnaDescription
In the Linux kernel, the following vulnerability has been resolved: rxrpc: reject undecryptable rxkad response tickets rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded. A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes. Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails.
References (8)
Core 8
Core References
Scores
CVSS v3
9.8
EPSS
0.0051
EPSS Percentile
40.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (28)
linux/Kernel
2.6.22 - 5.10.258linux
linux/Kernel
5.11.0 - 5.15.209linux
linux/Kernel
5.16.0 - 6.1.175linux
linux/Kernel
6.13.0 - 6.18.23linux
linux/Kernel
6.19.0 - 6.19.13linux
linux/Kernel
6.2.0 - 6.6.135linux
linux/Kernel
6.7.0 - 6.12.82linux
Linux/Linux
< 2.6.22
Linux/Linux
17926a79320afa9b95df6b977b40cca6d8713cea - 22f6258e7b31dba9bf88dce4e3ee7f0f20072e60
Linux/Linux
17926a79320afa9b95df6b977b40cca6d8713cea - 252157d939d179b5d767cb860ff8fa7f8723b67a
... and 18 more
Published
Apr 24, 2026
Tracked Since
Apr 24, 2026