CVE-2026-31638

HIGH

rxrpc: Only put the call ref if one was acquired

Title source: cna

Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Only put the call ref if one was acquired rxrpc_input_packet_on_conn() can process a to-client packet after the current client call on the channel has already been torn down. In that case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is no reference to drop. The client-side implicit-end error path does not account for that and unconditionally calls rxrpc_put_call(). This turns a protocol error path into a kernel crash instead of rejecting the packet. Only drop the call reference if one was actually acquired. Keep the existing protocol error handling unchanged.

References (5)

https://git.kernel.org/stable/c/b8f66447448d6c305a51413a67ec8ed26aa7d1dd

https://git.kernel.org/stable/c/0c156aff8a2d4fa0d61db7837641975cf0e5452d

https://git.kernel.org/stable/c/8299ca146489664e3c0c90a3b8900d8335b1ede4

https://git.kernel.org/stable/c/9fb09861e2b8d1abfe2efaf260c9f1d30080ea38

https://git.kernel.org/stable/c/6331f1b24a3e85465f6454e003a3e6c22005a5c5

Scores

CVSS v3 7.5

EPSS 0.0007

EPSS Percentile 20.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-476

Status published

Products (15)

Linux/Linux < 6.2

Linux/Linux 5e6ef4f1017c7f844e305283bbd8875af475e2fc - 0c156aff8a2d4fa0d61db7837641975cf0e5452d

Linux/Linux 5e6ef4f1017c7f844e305283bbd8875af475e2fc - 6331f1b24a3e85465f6454e003a3e6c22005a5c5

Linux/Linux 5e6ef4f1017c7f844e305283bbd8875af475e2fc - 8299ca146489664e3c0c90a3b8900d8335b1ede4

Linux/Linux 5e6ef4f1017c7f844e305283bbd8875af475e2fc - 9fb09861e2b8d1abfe2efaf260c9f1d30080ea38

Linux/Linux 5e6ef4f1017c7f844e305283bbd8875af475e2fc - b8f66447448d6c305a51413a67ec8ed26aa7d1dd

Linux/Linux 6.12.82 - 6.12.*

Linux/Linux 6.18.23 - 6.18.*

Linux/Linux 6.19.13 - 6.19.*

Linux/Linux 6.2

... and 5 more

Published Apr 24, 2026

Tracked Since Apr 24, 2026