CVE-2026-31696 Overview
CVE-2026-31696 is a Linux kernel vulnerability in the rxrpc subsystem. The flaw resides in rxrpc_preparse(), which processes key payloads through two paths: an XDR path for large payloads and a non-XDR path for payloads of 28 bytes or less. The non-XDR path fails to validate the ticket length against AFSTOKEN_RK_TIX_MAX, while the XDR path (rxrpc_preparse_xdr_rxkad()) performs this check correctly. An unprivileged local user can supply an oversized ticket length, causing a subsequent rxrpc_read() call to compute a toksize exceeding AFSTOKEN_LENGTH_MAX and trigger a WARN_ON() at net/rxrpc/key.c:778. The defect is classified as an out-of-bounds write [CWE-787].
Critical Impact
Local unprivileged users can trigger kernel-side memory corruption in the rxrpc key handling code, impacting confidentiality, integrity, and availability of the host.
Affected Products
- Linux Kernel (multiple stable branches prior to the fix commits)
- Linux Kernel 7.1-rc1
- Linux Kernel 7.1-rc2
Discovery Timeline
- 2026-05-01 - CVE-2026-31696 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-31696
Vulnerability Analysis
The rxrpc subsystem implements the RxRPC transport protocol used by AFS (Andrew File System) clients in the Linux kernel. The rxrpc_preparse() function parses user-supplied key payloads and dispatches them to one of two parsing paths based on payload size. Payloads larger than 28 bytes flow through the XDR path implemented in rxrpc_preparse_xdr_rxkad(), which enforces an upper bound on ticket length using the AFSTOKEN_RK_TIX_MAX constant. Payloads of 28 bytes or fewer take the non-XDR path, which omits this bound check.
When a key prepared via the non-XDR path is later read with rxrpc_read(), the function calculates the total token size (toksize). An attacker-controlled ticket length inflates toksize beyond AFSTOKEN_LENGTH_MAX, hitting a WARN_ON() at net/rxrpc/key.c:778 and producing the warning observed in kernel logs. Because the underlying issue is a missing bounds check on attacker-controlled length data feeding subsequent buffer logic, the condition is tracked as [CWE-787] out-of-bounds write.
Root Cause
The root cause is incomplete input validation parity between two parsing paths. The XDR parser validates ticket length against AFSTOKEN_RK_TIX_MAX, but the non-XDR parser does not. This asymmetry allows an oversized ticket length to be stored in a key structure and consumed later by rxrpc_read() without sanity checks.
Attack Vector
Exploitation requires local access with the ability to invoke the keyctl interface. An unprivileged user installs a key of type rxrpc with a payload of 28 bytes or less containing a forged ticket length field. Reading the key triggers the WARN_ON() and the underlying out-of-bounds write condition. The attack does not require user interaction and operates entirely within the local user's session.
The vulnerability mechanism is described in the upstream commit messages. See the Kernel Git Commit for the patch and validation logic.
Detection Methods for CVE-2026-31696
Indicators of Compromise
- Kernel ring buffer entries containing WARNING: CPU: ... at net/rxrpc/key.c:778 rxrpc_read+
- Unexpected keyctl syscall activity from non-privileged users adding keys of type rxrpc
- Kernel taint flags set after rxrpc-related warnings appear in dmesg
Detection Strategies
- Monitor dmesg and journald for WARN_ON traces originating in net/rxrpc/key.c and rxrpc_read
- Audit add_key and keyctl syscalls with auditd rules targeting the rxrpc key type
- Correlate kernel warnings with the originating process and user identity using EDR telemetry
Monitoring Recommendations
- Enable kernel audit logging for the keyrings subsystem on hosts running AFS or rxrpc workloads
- Track kernel version inventory across the fleet to identify systems still running pre-patch builds
- Alert on repeated rxrpc-related kernel warnings, which can indicate exploitation attempts or fuzzing activity
How to Mitigate CVE-2026-31696
Immediate Actions Required
- Apply the upstream patch to all affected kernel branches and reboot affected hosts
- Restrict local shell access on multi-tenant systems until patches are deployed
- Disable or unload the rxrpc and kafs modules on systems that do not require AFS connectivity
Patch Information
The issue is fixed by adding a ticket length check in the non-XDR parsing path of rxrpc_preparse() to mirror the XDR path validation against AFSTOKEN_RK_TIX_MAX. Stable tree fixes are available in the following commits: 1fa36cf4, 4458757c, a1be1c9e, ac33733b, and ce383ba6. Distribution vendors will incorporate these commits into their respective kernel update streams.
Workarounds
- Blacklist the rxrpc kernel module on hosts that do not use AFS: add blacklist rxrpc to /etc/modprobe.d/
- Restrict the keyrings subsystem via seccomp or LSM policies to block unprivileged add_key calls for the rxrpc type
- Limit local user access on shared and multi-tenant systems to reduce exposure to local-only attack vectors
# Blacklist rxrpc and kafs modules where AFS is not required
echo 'blacklist rxrpc' | sudo tee /etc/modprobe.d/blacklist-rxrpc.conf
echo 'blacklist kafs' | sudo tee -a /etc/modprobe.d/blacklist-rxrpc.conf
sudo update-initramfs -u
# Verify the module is not loaded after reboot
lsmod | grep -E 'rxrpc|kafs'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
