{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31637", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.125Z", "datePublished": "2026-04-24T14:44:51.364Z", "dateUpdated": "2026-05-11T22:12:39.924Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:12:39.924Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: reject undecryptable rxkad response tickets\n\nrxkad_decrypt_ticket() decrypts the RXKAD response ticket and then\nparses the buffer as plaintext without checking whether\ncrypto_skcipher_decrypt() succeeded.\n\nA malformed RESPONSE can therefore use a non-block-aligned ticket\nlength, make the decrypt operation fail, and still drive the ticket\nparser with attacker-controlled bytes.\n\nCheck the decrypt result and abort the connection with RXKADBADTICKET\nwhen ticket decryption fails."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/rxrpc/rxkad.c"], "versions": [{"version": "17926a79320afa9b95df6b977b40cca6d8713cea", "lessThan": "47073aab8a3a5a7b41c9bd37d2a3dcbeeccd6c8a", "status": "affected", "versionType": "git"}, {"version": "17926a79320afa9b95df6b977b40cca6d8713cea", "lessThan": "a149dcae23309df9de1c3b6b5d468610ef5ab7de", "status": "affected", "versionType": "git"}, {"version": "17926a79320afa9b95df6b977b40cca6d8713cea", "lessThan": "22f6258e7b31dba9bf88dce4e3ee7f0f20072e60", "status": "affected", "versionType": "git"}, {"version": "17926a79320afa9b95df6b977b40cca6d8713cea", "lessThan": "58fcd1b156152613ba00a064a129fb69507ddd7d", "status": "affected", "versionType": "git"}, {"version": "17926a79320afa9b95df6b977b40cca6d8713cea", "lessThan": "fe4447cd95623b1cfacc15f280aab73a6d7340b2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/rxrpc/rxkad.c"], "versions": [{"version": "2.6.22", "status": "affected"}, {"version": "0", "lessThan": "2.6.22", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.22", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.22", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.22", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.22", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.22", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/47073aab8a3a5a7b41c9bd37d2a3dcbeeccd6c8a"}, {"url": "https://git.kernel.org/stable/c/a149dcae23309df9de1c3b6b5d468610ef5ab7de"}, {"url": "https://git.kernel.org/stable/c/22f6258e7b31dba9bf88dce4e3ee7f0f20072e60"}, {"url": "https://git.kernel.org/stable/c/58fcd1b156152613ba00a064a129fb69507ddd7d"}, {"url": "https://git.kernel.org/stable/c/fe4447cd95623b1cfacc15f280aab73a6d7340b2"}], "title": "rxrpc: reject undecryptable rxkad response tickets", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF3437DE-9B4D-4F70-8EDD-552E0695376B", "versionEndExcluding": "6.6.135", "versionStartIncluding": "2.6.22.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307", "versionEndExcluding": "6.12.82", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F", "versionEndExcluding": "6.18.23", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.22:-:*:*:*:*:*:*", "matchCriteriaId": "7F7D6C66-3384-4ACC-9D08-C5A26B4FD004", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: reject undecryptable rxkad response tickets\n\nrxkad_decrypt_ticket() decrypts the RXKAD response ticket and then\nparses the buffer as plaintext without checking whether\ncrypto_skcipher_decrypt() succeeded.\n\nA malformed RESPONSE can therefore use a non-block-aligned ticket\nlength, make the decrypt operation fail, and still drive the ticket\nparser with attacker-controlled bytes.\n\nCheck the decrypt result and abort the connection with RXKADBADTICKET\nwhen ticket decryption fails."}], "id": "CVE-2026-31637", "lastModified": "2026-04-27T20:20:48.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:43.020", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/22f6258e7b31dba9bf88dce4e3ee7f0f20072e60"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/47073aab8a3a5a7b41c9bd37d2a3dcbeeccd6c8a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/58fcd1b156152613ba00a064a129fb69507ddd7d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a149dcae23309df9de1c3b6b5d468610ef5ab7de"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fe4447cd95623b1cfacc15f280aab73a6d7340b2"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: rxrpc: reject undecryptable rxkad response tickets", "id": "2461506", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461506"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-252", "details": ["A flaw was found in the Linux kernel's rxrpc subsystem. A remote attacker could exploit this by sending a malformed RXKAD response ticket. This ticket, with a non-block-aligned length, would cause decryption to fail, yet the system would proceed to process attacker-controlled data. This could lead to a denial of service, causing the connection to be aborted."], "name": "CVE-2026-31637", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31637\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31637\nhttps://lore.kernel.org/linux-cve-announce/2026042455-CVE-2026-31637-0433@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[17926a79320afa9b95df6b977b40cca6d8713cea,47073aab8a3a5a7b41c9bd37d2a3dcbeeccd6c8a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[17926a79320afa9b95df6b977b40cca6d8713cea,a149dcae23309df9de1c3b6b5d468610ef5ab7de)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[17926a79320afa9b95df6b977b40cca6d8713cea,22f6258e7b31dba9bf88dce4e3ee7f0f20072e60)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[17926a79320afa9b95df6b977b40cca6d8713cea,58fcd1b156152613ba00a064a129fb69507ddd7d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[17926a79320afa9b95df6b977b40cca6d8713cea,fe4447cd95623b1cfacc15f280aab73a6d7340b2)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.22"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.22)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.135,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.82,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.23,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.13,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T13:53:01.543809+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version in which the rxrpc patch\u2014to check the decryption result and reject invalid tickets\u2014is applied. The patch is referenced in the commit series linked in the CVE references.", "If an upgrade cannot be performed immediately, restrict rxrpc traffic from untrusted networks by applying firewall rules that only allow connections to known, trusted hosts.", "Continuously monitor system logs for RXKADBADTICKET events and investigate any anomalous connection attempts to detect potential exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue affects all Linux kernel releases that include the rxrpc subsystem before the mitigations were applied, including Linux kernel 2.6.22 and the 7.0 release candidates (rc1 through rc7).", "description_and_impact": "The vulnerability in the Linux kernel\u2019s rxrpc module allows an attacker to craft a malformed RXKAD response ticket that fails decryption but is still parsed as plaintext. Because the kernel does not verify that the decryption succeeded, the parser can be fed attacker\u2011controlled data, potentially leading to arbitrary code execution or kernel memory corruption. This flaw falls under CWE\u2011252 (Unchecked Return Value) and NVD\u2011CWE\u2011noinfo indicates no further classification.", "risk_and_exploitability": "With a CVSS score of 9.8 the weakness is deemed critical. The EPSS score of less than 1% suggests a low probability of widespread exploitation, yet the failure is not listed in CISA\u2019s KEV catalog, indicating it remains a known but not actively leveraged vulnerability. Attackers would need to send a specially crafted RXKAD response over the network to a system that uses the rxrpc protocol, and the kernel would abort the connection only after the malformed ticket is processed. This remote network attack path makes the vulnerability especially relevant for servers or services that expose the rxrpc interface to untrusted hosts."}}}}, "created": "2026-04-27T18:45:11.322837+00:00", "updated": "2026-04-28T14:00:16.502862+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}