CVE-2026-31638
Description
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Only put the call ref if one was acquired
rxrpc_input_packet_on_conn() can process a to-client packet after the current client call on the channel has already been torn down. In that case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is no reference to drop.
The client-side implicit-end error path does not account for that and unconditionally calls rxrpc_put_call(). This turns a protocol error path into a kernel crash instead of rejecting the packet.
Only drop the call reference if one was actually acquired. Keep the existing protocol error handling unchanged.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.2.1,<6.6.135
- cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- (no CPE)
Patches
Vulnerability mechanics
References
5- git.kernel.org/stable/c/0c156aff8a2d4fa0d61db7837641975cf0e5452dnvdPatch
- git.kernel.org/stable/c/6331f1b24a3e85465f6454e003a3e6c22005a5c5nvdPatch
- git.kernel.org/stable/c/8299ca146489664e3c0c90a3b8900d8335b1ede4nvdPatch
- git.kernel.org/stable/c/9fb09861e2b8d1abfe2efaf260c9f1d30080ea38nvdPatch
- git.kernel.org/stable/c/b8f66447448d6c305a51413a67ec8ed26aa7d1ddnvdPatch
News mentions
0No linked articles in our index yet.