HIGH
rxrpc Rxkad Panic
CVE-2026-46085
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI6.4MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix rxkad crypto unalignment handling Fix handling of a packet with a misaligned crypto length. Also handle non-ENOMEM errors from decryption by aborting. Further, remove the WARN_ON_ONCE() so that it can't be remotely triggered (a trace line can still be emitted).
02KernelScan AI Analysis
Risk summary
Authenticated remote attackers can trigger kernel warnings and potentially cause denial of service by sending malformed RxRPC packets with misaligned crypto lengths. This affects systems running AFS clients or servers that use the rxrpc protocol with rxkad authentication.
Vulnerability analysis
The vulnerability exists in the rxkad_verify_packet_2() function where misaligned crypto lengths in incoming packets are not aligned before passing to the crypto API, and non-ENOMEM decryption errors are not handled gracefully. Because rxkad is an authenticated security class (Kerberos), the attacker must present valid credentials or have an active authenticated session to reach the vulnerable packet-verification path. The missing length validation can cause the crypto layer to encounter malformed input, while the WARN_ON_ONCE() could be remotely activated by a malicious peer. The fix adds proper length alignment by rounding down to 8-byte boundaries, replaces the remotely-triggerable WARN_ON_ONCE() with proper connection abort handling, and ensures non-ENOMEM crypto errors are handled by aborting the call rather than returning an unhandled error.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.86 | 440d20d95e84 |
| 6.18 | 6.18.27 | f0d3efd03b2a |
| 6.20 | 6.20 | af9271eb666d |
| 6.6 | 6.6.140 | f1c6bd0cc786 |
| 7.0 | 7.0.4 | def304aae2ed |
| mainline | 7.1-rc1 | — |