{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247"
            },
            {
              "fixed": "44714dfda386884919ba366411880b6fb3c3efd3"
            },
            {
              "fixed": "41a117dd80371343babc52198d1114e83eb37627"
            },
            {
              "fixed": "9a397aa9b5e53ca63d4d6aefb542832eca389618"
            },
            {
              "fixed": "1fa36cf495b0023e8475d038535c05e4063211e1"
            },
            {
              "fixed": "4458757c020592a3094366e0fb20457383b42f92"
            },
            {
              "fixed": "ce383ba615339f8eaec646a166d2c2b015bb5ca0"
            },
            {
              "fixed": "a1be1c9ece26cea69654f28b255ff9a7906b897b"
            },
            {
              "fixed": "ac33733b10b484d666f97688561670afd5861383"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.17.0"
            },
            {
              "fixed": "5.10.258"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.209"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.136"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.84"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.25"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31696.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix missing validation of ticket length in non-XDR key preparsing\n\nIn rxrpc_preparse(), there are two paths for parsing key payloads: the\nXDR path (for large payloads) and the non-XDR path (for payloads \u003c= 28\nbytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly\nvalidates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR\npath fails to do so.\n\nThis allows an unprivileged user to provide a very large ticket length.\nWhen this key is later read via rxrpc_read(), the total\ntoken size (toksize) calculation results in a value that exceeds\nAFSTOKEN_LENGTH_MAX, triggering a WARN_ON().\n\n[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]\n\nFix this by adding a check in the non-XDR parsing path of rxrpc_preparse()\nto ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,\nbringing it into parity with the XDR parsing logic.",
  "id": "CVE-2026-31696",
  "modified": "2026-07-08T05:36:02.297389310Z",
  "published": "2026-05-01T13:55:57.485Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1fa36cf495b0023e8475d038535c05e4063211e1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/41a117dd80371343babc52198d1114e83eb37627"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4458757c020592a3094366e0fb20457383b42f92"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/44714dfda386884919ba366411880b6fb3c3efd3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a397aa9b5e53ca63d4d6aefb542832eca389618"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a1be1c9ece26cea69654f28b255ff9a7906b897b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac33733b10b484d666f97688561670afd5861383"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ce383ba615339f8eaec646a166d2c2b015bb5ca0"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31696.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31696"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "summary": "rxrpc: Fix missing validation of ticket length in non-XDR key preparsing"
}