Cyber Resilience

CVE-2026-31719

High

Published: 01 May 2026

Published
01 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0004 12.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31719 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal or Forge Kerberos Tickets (T1558); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-13 (Cryptographic Protection).

Deeper analysis

CVE-2026-31719 affects the Linux kernel's krb5enc cryptographic module, which handles Kerberos 5 encryption and decryption. The vulnerability arises in krb5enc_dispatch_decrypt(), where the skcipher completion callback is incorrectly set to the caller's own handler. This causes asynchronous decryption to signal completion to the caller without invoking krb5enc_dispatch_decrypt_hash(), thereby skipping the integrity verification via hash check. The encrypt path avoids this issue by using an intermediate callback, krb5enc_encrypt_done, to chain into hash computation.

A network-based attacker requires no privileges or user interaction and faces low attack complexity, per the CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Exploitation enables high integrity impact by bypassing hash verification during async decryption, potentially allowing acceptance of tampered Kerberos-encrypted data. Additional fixes address improper EBUSY/EINPROGRESS handling and unset MAY_BACKLOG on async paths to prevent misleading notifications.

Mitigation involves applying patches from the Linux kernel stable repository, available via commits 07cbb1bd424370671814a862913c99a6e1441588, 3bfbf5f0a99c991769ec562721285df7ab69240b, and e51f42114abbdf47f29dda43e7826be28907fcd2. These introduce krb5enc_decrypt_done as an intermediate callback to ensure hash verification on async skcipher completion, matching the encrypt path, while correcting request completion and backlog signaling.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: crypto: krb5enc - fix async decrypt skipping hash verification krb5enc_dispatch_decrypt() sets req->base.complete as the skcipher callback, which is the caller's own completion handler. When the skcipher completes asynchronously, this signals…

more

"done" to the caller without executing krb5enc_dispatch_decrypt_hash(), completely bypassing the integrity verification (hash check). Compare with the encrypt path which correctly uses krb5enc_encrypt_done as an intermediate callback to chain into the hash computation on async completion. Fix by adding krb5enc_decrypt_done as an intermediate callback that chains into krb5enc_dispatch_decrypt_hash() upon async skcipher completion, matching the encrypt path's callback pattern. Also fix EBUSY/EINPROGRESS handling throughout: remove krb5enc_request_complete() which incorrectly swallowed EINPROGRESS notifications that must be passed up to callers waiting on backlogged requests, and add missing EBUSY checks in krb5enc_encrypt_ahash_done for the dispatch_encrypt return value. Unset MAY_BACKLOG on the async completion path so the user won't see back-to-back EINPROGRESS notifications.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1558 Steal or Forge Kerberos Tickets Credential Access
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.
T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Bypassing Kerberos hash verification on async decrypt directly enables forging/modifying tickets (T1558) and tampering with transmitted Kerberos data (T1565.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-31558Same product: Linux Linux Kernel
CVE-2026-23457Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2024-57910Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-31613Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.1 · 6.15 — 6.18.25 · 6.19 — 7.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely patching of the Linux kernel flaw in krb5enc_dispatch_decrypt() directly remediates the async decryption hash verification bypass.

prevent

Requires FIPS-validated cryptographic mechanisms for integrity protection, addressing improper chaining in Kerberos decryption callbacks.

prevent

Enforces integrity verification of information using hashes, mitigating the skipped krb5enc_dispatch_decrypt_hash() during async operations.

References