Skip to main content

Linux Kernel EUVDEUVD-2026-26528

| CVE-2026-31719 HIGH
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:27 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.5 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26528
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

crypto: krb5enc - fix async decrypt skipping hash verification

krb5enc_dispatch_decrypt() sets req->base.complete as the skcipher callback, which is the caller's own completion handler. When the skcipher completes asynchronously, this signals "done" to the caller without executing krb5enc_dispatch_decrypt_hash(), completely bypassing the integrity verification (hash check).

Compare with the encrypt path which correctly uses krb5enc_encrypt_done as an intermediate callback to chain into the hash computation on async completion.

Fix by adding krb5enc_decrypt_done as an intermediate callback that chains into krb5enc_dispatch_decrypt_hash() upon async skcipher completion, matching the encrypt path's callback pattern.

Also fix EBUSY/EINPROGRESS handling throughout: remove krb5enc_request_complete() which incorrectly swallowed EINPROGRESS notifications that must be passed up to callers waiting on backlogged requests, and add missing EBUSY checks in krb5enc_encrypt_ahash_done for the dispatch_encrypt return value.

Unset MAY_BACKLOG on the async completion path so the user won't see back-to-back EINPROGRESS notifications.

AnalysisAI

Integrity verification bypass in Linux kernel crypto subsystem's Kerberos 5 encryption module allows remote unauthenticated attackers to bypass cryptographic hash checks when asynchronous decryption completes. The vulnerability stems from incorrect callback chaining that skips krb5enc_dispatch_decrypt_hash() verification entirely during async operations. Exploitation likelihood is low (EPSS 2%, percentile 4%) despite high CVSS severity, though EUVD classifies this as an authentication bypass affecting Linux 6.15+ with patches available for stable branches 6.18.25, 7.0.2, and mainline 7.1-rc1.

Technical ContextAI

The krb5enc crypto driver implements Kerberos 5 encryption within the Linux kernel's crypto API framework. The vulnerability affects the asynchronous skcipher (symmetric cipher) completion path used for decrypt operations. In kernel crypto subsystems, async operations use callback chains to sequence dependent operations like decryption followed by integrity verification. The flaw occurs when krb5enc_dispatch_decrypt() incorrectly registers the caller's completion handler directly with the underlying skcipher operation instead of using an intermediate callback (krb5enc_decrypt_done). This breaks the callback chain, causing async completions to signal 'done' to callers before executing krb5enc_dispatch_decrypt_hash() which validates the cryptographic hash. The encrypt path correctly implements this pattern with krb5enc_encrypt_done as the intermediate callback. Additionally, the code incorrectly handled EBUSY/EINPROGRESS status codes which signal backlogged async operations in the kernel crypto queue, potentially masking completion status from waiters.

RemediationAI

Upgrade to patched Linux kernel versions: stable branch 6.18.25 or later for 6.x series, version 7.0.2 or later for 7.0.x series, or mainline 7.1-rc1 and above. Patches available from kernel.org stable tree via commits 3bfbf5f0a99c (6.18.x branch), 07cbb1bd4243 (7.0.x branch), and e51f42114abb (mainline). Apply patches from https://git.kernel.org/stable/c/07cbb1bd424370671814a862913c99a6e1441588 for your kernel branch. If immediate patching is not feasible, disable the krb5enc kernel crypto module by setting CONFIG_CRYPTO_KRB5ENC=n and recompiling the kernel, though this breaks kernel-based Kerberos crypto functionality. Alternatively, blacklist the krb5enc module via modprobe configuration (echo 'blacklist krb5enc' >> /etc/modprobe.d/cve-2026-31719.conf) and reboot, which prevents module loading but may impact systems requiring kernel crypto for Kerberos operations. Compensating controls have significant operational impact as they disable the affected functionality entirely. For most deployments using userspace Kerberos libraries, no action is required as they are unaffected.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26528 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy