CVE-2026-31696

In rxrpcpreparse(), there are two paths for parsing key payloads: the XDR path (for large payloads) and the non-XDR path (for payloads <= 28 bytes). While the XDR path (rxrpcpreparsexdrrxkad()) correctly validates the ticket length against AFSTOKENRKTIX_MAX, the non-XDR path fails to do so.

This allows an unprivileged user to provide a very large ticket length. When this key is later read via rxrpcread(), the total token size (toksize) calculation results in a value that exceeds AFSTOKENLENGTHMAX, triggering a WARNON().

[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]

Fix this by adding a check in the non-XDR parsing path of rxrpcpreparse() to ensure the ticket length does not exceed AFSTOKENRKTIXMAX, bringing it into parity with the XDR parsing logic.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31696.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247

Fixed

1fa36cf495b0023e8475d038535c05e4063211e1

Fixed

4458757c020592a3094366e0fb20457383b42f92

Fixed

ce383ba615339f8eaec646a166d2c2b015bb5ca0

Fixed

a1be1c9ece26cea69654f28b255ff9a7906b897b

Fixed

ac33733b10b484d666f97688561670afd5861383

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31696.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.17.0

Fixed

6.6.136

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.84

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.25

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

7.0.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31696.json"