CRITICALCVE-2026-31637Published Modified CNA Linux
CVE-2026-31637: rxrpc: reject undecryptable rxkad response tickets
In the Linux kernel, the following vulnerability has been resolved: rxrpc: reject undecryptable rxkad response tickets rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded. A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes. Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 0
- Affected Products
- 2
Fix available
022f6258e7b31dba9bf88dce4e3ee7f0f20072e6047073aab8a3a5a7b41c9bd37d2a3dcbeeccd6c8a58fcd1b156152613ba00a064a129fb69507ddd7d6.6.1356.12.826.18.236.19.137.0a149dcae23309df9de1c3b6b5d468610ef5ab7defe4447cd95623b1cfacc15f280aab73a6d7340b2
Affected packages
- Linux / Linux< 47073aab8a3a5a7b41c9bd37d2a3dcbeeccd6c8a (from 17926a79320afa9b95df6b977b40cca6d8713cea) · < a149dcae23309df9de1c3b6b5d468610ef5ab7de (from 17926a79320afa9b95df6b977b40cca6d8713cea) · < 22f6258e7b31dba9bf88dce4e3ee7f0f20072e60 (from 17926a79320afa9b95df6b977b40cca6d8713cea) · < 58fcd1b156152613ba00a064a129fb69507ddd7d (from 17926a79320afa9b95df6b977b40cca6d8713cea) · < fe4447cd95623b1cfacc15f280aab73a6d7340b2 (from 17926a79320afa9b95df6b977b40cca6d8713cea)
- Linux / Linux2.6.22Fixed in 0, 6.6.135, 6.12.82, 6.18.23, 6.19.13, 7.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H