Skip to main content

Linux Kernel EUVDEUVD-2026-26505

| CVE-2026-31696 HIGH
Out-of-bounds Write (CWE-787)
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
High
Disputed · 7.8 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 06, 2026 - 21:30 vuln.today
CVSS changed
May 06, 2026 - 19:22 NVD
7.8 (HIGH)
Patch released
May 01, 2026 - 15:24 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26505
CVE Published
May 01, 2026 - 14:16 nvd
HIGH 7.8
CVE Published
May 01, 2026 - 14:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix missing validation of ticket length in non-XDR key preparsing

In rxrpc_preparse(), there are two paths for parsing key payloads: the XDR path (for large payloads) and the non-XDR path (for payloads <= 28 bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR path fails to do so.

This allows an unprivileged user to provide a very large ticket length. When this key is later read via rxrpc_read(), the total token size (toksize) calculation results in a value that exceeds AFSTOKEN_LENGTH_MAX, triggering a WARN_ON().

[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]

Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse() to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX, bringing it into parity with the XDR parsing logic.

AnalysisAI

Buffer overflow in Linux kernel rxrpc subsystem allows local authenticated users to trigger memory corruption via malformed key payloads. The non-XDR parsing path in rxrpc_preparse() fails to validate ticket length against AFSTOKEN_RK_TIX_MAX, enabling unprivileged users to supply oversized tickets that cause WARN_ON() triggers and potential memory corruption when keys are read. Vendor patches available for kernel versions 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1. EPSS score of 0.02% indicates low observed exploitation probability, with no public exploit identified at time of analysis.

Technical ContextAI

The rxrpc protocol implementation in the Linux kernel provides two code paths for parsing cryptographic key payloads used in AFS (Andrew File System) authentication. Payloads larger than 28 bytes follow an XDR (External Data Representation) parsing path that includes proper bounds checking via rxrpc_preparse_xdr_rxkad(), validating ticket lengths against the AFSTOKEN_RK_TIX_MAX constant. However, smaller payloads use a non-XDR fast path in rxrpc_preparse() that omits this critical validation step. The vulnerability maps to CWE-787 (Out-of-bounds Write), representing a classic buffer overflow condition where user-controlled input size is not sanitized before use in memory operations. When a malicious key with excessive ticket length is later accessed through rxrpc_read(), the token size calculation overflows AFSTOKEN_LENGTH_MAX, triggering kernel warnings and potentially corrupting adjacent memory structures. The affected CPE strings indicate vulnerability exists across multiple kernel version branches from 3.17 through 7.1-rc2, with the root cause introduced in commit 8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247.

RemediationAI

Apply vendor-released patches immediately for affected kernel versions: upgrade to 6.6.136 (for 6.6.x series), 6.12.84 (for 6.12.x), 6.18.25 (for 6.18.x), 7.0.2 (for 7.0.x), or 7.1-rc1 and later (for development kernels). Patch commits available at https://git.kernel.org/stable/c/1fa36cf495b0023e8475d038535c05e4063211e1 (6.6), https://git.kernel.org/stable/c/4458757c020592a3094366e0fb20457383b42f92 (6.12), https://git.kernel.org/stable/c/a1be1c9ece26cea69654f28b255ff9a7906b897b (6.18), https://git.kernel.org/stable/c/ce383ba615339f8eaec646a166d2c2b015bb5ca0 (7.0), and https://git.kernel.org/stable/c/ac33733b10b484d666f97688561670afd5861383 (mainline). For systems unable to patch immediately, disable rxrpc kernel module via 'modprobe -r rxrpc' and blacklist it in /etc/modprobe.d/ to prevent automatic loading (blacklist rxrpc). This mitigation eliminates attack surface but breaks AFS authentication functionality for any applications depending on rxrpc, requiring alternative authentication mechanisms. Restrict local user access and monitor for unexpected rxrpc module loading as detective controls. Reboot required after kernel upgrade to activate patched code.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26505 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy