rxrpc: Only put the call ref if one was acquired

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-31638
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-04-24 15:16:43 UTC
Updated2026-04-27 20:20:36 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: rxrpc: Only put the call ref if one was acquired rxrpc_input_packet_on_conn() can process a to-client packet after the current client call on the channel has already been torn down. In that case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is no reference to drop. The client-side implicit-end error path does not account for that and unconditionally calls rxrpc_put_call(). This turns a protocol error path into a kernel crash instead of rejecting the packet. Only drop the call reference if one was actually acquired. Keep the existing protocol error handling unchanged.

Risk And Classification

Primary CVSS: v3.1 7.5 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS: 0.000180000 probability, percentile 0.048130000 (date 2026-04-27)

Problem Types: CWE-476

VersionSourceTypeScoreSeverityVector
3.1416baaa9-dc9f-4396-8d5f-8c081fb06d67Secondary7.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3.1CNADECLARED7.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 5e6ef4f1017c7f844e305283bbd8875af475e2fc b8f66447448d6c305a51413a67ec8ed26aa7d1dd git Not specified
CNA Linux Linux affected 5e6ef4f1017c7f844e305283bbd8875af475e2fc 0c156aff8a2d4fa0d61db7837641975cf0e5452d git Not specified
CNA Linux Linux affected 5e6ef4f1017c7f844e305283bbd8875af475e2fc 8299ca146489664e3c0c90a3b8900d8335b1ede4 git Not specified
CNA Linux Linux affected 5e6ef4f1017c7f844e305283bbd8875af475e2fc 9fb09861e2b8d1abfe2efaf260c9f1d30080ea38 git Not specified
CNA Linux Linux affected 5e6ef4f1017c7f844e305283bbd8875af475e2fc 6331f1b24a3e85465f6454e003a3e6c22005a5c5 git Not specified
CNA Linux Linux affected 6.2 Not specified
CNA Linux Linux unaffected 6.2 semver Not specified
CNA Linux Linux unaffected 6.6.135 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.82 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.23 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19.13 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/8299ca146489664e3c0c90a3b8900d8335b1ede4 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/9fb09861e2b8d1abfe2efaf260c9f1d30080ea38 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/6331f1b24a3e85465f6454e003a3e6c22005a5c5 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/0c156aff8a2d4fa0d61db7837641975cf0e5452d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/b8f66447448d6c305a51413a67ec8ed26aa7d1dd 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report