7.8

CVE-2026-31696

rxrpc: Fix missing validation of ticket length in non-XDR key preparsing

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix missing validation of ticket length in non-XDR key preparsing

In rxrpc_preparse(), there are two paths for parsing key payloads: the
XDR path (for large payloads) and the non-XDR path (for payloads <= 28
bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly
validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR
path fails to do so.

This allows an unprivileged user to provide a very large ticket length.
When this key is later read via rxrpc_read(), the total
token size (toksize) calculation results in a value that exceeds
AFSTOKEN_LENGTH_MAX, triggering a WARN_ON().

[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]

Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse()
to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,
bringing it into parity with the XDR parsing logic.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 3.17 < 6.6.136
LinuxLinux Kernel Version >= 6.7 < 6.12.84
LinuxLinux Kernel Version >= 6.13 < 6.18.25
LinuxLinux Kernel Version >= 6.19 < 7.0.2
LinuxLinux Kernel Version7.1 Updaterc1
LinuxLinux Kernel Version7.1 Updaterc2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.029
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/1fa36cf495b0023e8475d038535c05e4063211e1
Patch
https://git.kernel.org/stable/c/4458757c020592a3094366e0fb20457383b42f92
Patch
https://git.kernel.org/stable/c/a1be1c9ece26cea69654f28b255ff9a7906b897b
Patch
https://git.kernel.org/stable/c/ac33733b10b484d666f97688561670afd5861383
Patch
https://git.kernel.org/stable/c/ce383ba615339f8eaec646a166d2c2b015bb5ca0
Patch
https://git.kernel.org/stable/c/41a117dd80371343babc52198d1114e83eb37627
https://git.kernel.org/stable/c/44714dfda386884919ba366411880b6fb3c3efd3
https://git.kernel.org/stable/c/9a397aa9b5e53ca63d4d6aefb542832eca389618