CVE-2026-31637 PUBLISHED

rxrpc: reject undecryptable rxkad response tickets

Assigner: Linux
Reserved: 09.03.2026 Published: 24.04.2026 Updated: 24.04.2026

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: reject undecryptable rxkad response tickets

rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded.

A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes.

Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 17926a79320afa9b95df6b977b40cca6d8713cea to 47073aab8a3a5a7b41c9bd37d2a3dcbeeccd6c8a (excl.)
  • affected from 17926a79320afa9b95df6b977b40cca6d8713cea to a149dcae23309df9de1c3b6b5d468610ef5ab7de (excl.)
  • affected from 17926a79320afa9b95df6b977b40cca6d8713cea to 22f6258e7b31dba9bf88dce4e3ee7f0f20072e60 (excl.)
  • affected from 17926a79320afa9b95df6b977b40cca6d8713cea to 58fcd1b156152613ba00a064a129fb69507ddd7d (excl.)
  • affected from 17926a79320afa9b95df6b977b40cca6d8713cea to fe4447cd95623b1cfacc15f280aab73a6d7340b2 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 2.6.22 is affected
  • unaffected from 0 to 2.6.22 (excl.)
  • unaffected from 6.6.135 to 6.6.* (incl.)
  • unaffected from 6.12.82 to 6.12.* (incl.)
  • unaffected from 6.18.23 to 6.18.* (incl.)
  • unaffected from 6.19.13 to 6.19.* (incl.)
  • unaffected from 7.0 to * (incl.)

References