CVE-2026-31637
Published: 24 April 2026
Summary
CVE-2026-31637 is a critical-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely remediation of identified flaws, directly addressing this CVE by applying the available kernel patches that add the decryption success check.
SI-11 mandates secure error handling without compromising security, directly mitigating the vulnerability by ensuring decryption failures abort the connection instead of parsing attacker-controlled data.
SI-10 enforces validation of information inputs against expected formats, partially mitigating malformed RESPONSE packets with non-block-aligned ticket lengths before decryption.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of Linux kernel rxrpc decryption/parser flaw directly enables initial access via public-facing services (T1190) and kernel-level privilege escalation (T1068).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: reject undecryptable rxkad response tickets rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded. A malformed RESPONSE can therefore use…
more
a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes. Check the decrypt result and abort the connection with RXKADBADTICKET when ticket decryption fails.
Deeper analysisAI
CVE-2026-31637 is a vulnerability in the Linux kernel's rxrpc implementation, specifically in the rxkad_decrypt_ticket() function. This function decrypts an RXKAD response ticket using crypto_skcipher_decrypt() but proceeds to parse the resulting buffer as plaintext without verifying if the decryption succeeded. A malformed RESPONSE packet with a non-block-aligned ticket length can cause the decryption to fail while still allowing attacker-controlled bytes to be processed by the ticket parser.
Remote attackers can exploit this vulnerability over the network with low complexity and no privileges or user interaction required, as indicated by its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By sending a crafted RESPONSE packet, an attacker can trigger the parsing of undecrypted, controlled data, potentially leading to high-impact confidentiality, integrity, and availability compromises in affected kernel instances handling rxrpc connections.
Mitigation is provided through kernel patches available in stable repositories, such as commits 22f6258e7b31dba9bf88dce4e3ee7f0f20072e60, 47073aab8a3a5a7b41c9bd37d2a3dcbeeccd6c8a, 58fcd1b156152613ba00a064a129fb69507ddd7d, a149dcae23309df9de1c3b6b5d468610ef5ab7de, and fe4447cd95623b1cfacc15f280aab73a6d7340b2. These patches add a check for the decryption result in rxkad_decrypt_ticket() and abort the connection with an RXKADBADTICKET error if decryption fails. Security practitioners should apply these updates to vulnerable Linux kernel versions supporting rxrpc.
Details
- CWE(s)