{"id":"CVE-2026-31696","summary":"rxrpc: Fix missing validation of ticket length in non-XDR key preparsing","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix missing validation of ticket length in non-XDR key preparsing\n\nIn rxrpc_preparse(), there are two paths for parsing key payloads: the\nXDR path (for large payloads) and the non-XDR path (for payloads \u003c= 28\nbytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly\nvalidates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR\npath fails to do so.\n\nThis allows an unprivileged user to provide a very large ticket length.\nWhen this key is later read via rxrpc_read(), the total\ntoken size (toksize) calculation results in a value that exceeds\nAFSTOKEN_LENGTH_MAX, triggering a WARN_ON().\n\n[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]\n\nFix this by adding a check in the non-XDR parsing path of rxrpc_preparse()\nto ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,\nbringing it into parity with the XDR parsing logic.","modified":"2026-05-18T05:59:54.036916588Z","published":"2026-05-01T13:55:57.485Z","related":["CGA-5jm8-p36h-hjgh","openSUSE-SU-2026:10793-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31696.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1fa36cf495b0023e8475d038535c05e4063211e1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4458757c020592a3094366e0fb20457383b42f92"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a1be1c9ece26cea69654f28b255ff9a7906b897b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ac33733b10b484d666f97688561670afd5861383"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ce383ba615339f8eaec646a166d2c2b015bb5ca0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31696.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31696"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247"},{"fixed":"1fa36cf495b0023e8475d038535c05e4063211e1"},{"fixed":"4458757c020592a3094366e0fb20457383b42f92"},{"fixed":"ce383ba615339f8eaec646a166d2c2b015bb5ca0"},{"fixed":"a1be1c9ece26cea69654f28b255ff9a7906b897b"},{"fixed":"ac33733b10b484d666f97688561670afd5861383"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31696.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.17.0"},{"fixed":"6.6.136"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.84"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.25"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31696.json"}}],"schema_version":"1.7.5"}