HIGHCVE-2026-31638Published Modified CNA Linux
CVE-2026-31638: rxrpc: Only put the call ref if one was acquired
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Only put the call ref if one was acquired rxrpc_input_packet_on_conn() can process a to-client packet after the current client call on the channel has already been torn down. In that case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is no reference to drop. The client-side implicit-end error path does not account for that and unconditionally calls rxrpc_put_call(). This turns a protocol error path into a kernel crash instead of rejecting the packet. Only drop the call reference if one was actually acquired. Keep the existing protocol error handling unchanged.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
00c156aff8a2d4fa0d61db7837641975cf0e5452d6.6.1356.12.826.18.236.19.136331f1b24a3e85465f6454e003a3e6c22005a5c57.08299ca146489664e3c0c90a3b8900d8335b1ede49fb09861e2b8d1abfe2efaf260c9f1d30080ea38b8f66447448d6c305a51413a67ec8ed26aa7d1dd
Affected packages
- Linux / Linux< b8f66447448d6c305a51413a67ec8ed26aa7d1dd (from 5e6ef4f1017c7f844e305283bbd8875af475e2fc) · < 0c156aff8a2d4fa0d61db7837641975cf0e5452d (from 5e6ef4f1017c7f844e305283bbd8875af475e2fc) · < 8299ca146489664e3c0c90a3b8900d8335b1ede4 (from 5e6ef4f1017c7f844e305283bbd8875af475e2fc) · < 9fb09861e2b8d1abfe2efaf260c9f1d30080ea38 (from 5e6ef4f1017c7f844e305283bbd8875af475e2fc) · < 6331f1b24a3e85465f6454e003a3e6c22005a5c5 (from 5e6ef4f1017c7f844e305283bbd8875af475e2fc)
- Linux / Linux6.2Fixed in 0, 6.6.135, 6.12.82, 6.18.23, 6.19.13, 7.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H