CVE-2026-31639
Description
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix key reference count leak from call->key
When creating a client call in rxrpc_alloc_client_call(), the code obtains a reference to the key. This is never cleaned up and gets leaked when the call is destroyed.
Fix this by freeing call->key in rxrpc_destroy_call().
Before the patch, it shows the key reference counter elevated:
$ cat /proc/keys | grep afs@54321 1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka $
After the patch, the invalidated key is removed when the code exits:
$ cat /proc/keys | grep afs@54321 $
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A key reference count leak in Linux kernel's rxrpc client calls could lead to resource exhaustion; fixed by properly freeing the key on call destruction.
In the Linux kernel's rxrpc subsystem, a reference count leak exists in rxrpc_alloc_client_call(). The function obtains a reference to the call's key but never releases it, leaving the key permanently referenced after the call is destroyed. This can be observed via /proc/keys where the key remains listed with an elevated reference count. [1]
To exploit this, an attacker would need the ability to create many client calls, continuously acquiring key references. No special privileges beyond normal user access are required if the system uses rxrpc client calls (e.g., for AFS). Each call leaks one reference, so repeated call creation can exhaust kernel key resources.
The primary impact is a denial of service due to resource exhaustion. The keyring may fill with stale, unreclaimable keys, preventing new key allocations and potentially affecting other subsystems that depend on key management.
Linux kernel stable branches have been patched via commits [1][2][3][4]. Users are advised to update to the latest kernel versions to close this leak.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.2.1,<6.6.135
- cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/2e6ef713b1598f6acd7f302fa6b12b6731c89914nvdPatch
- git.kernel.org/stable/c/978108902ee4ef2b348ff7ec36ad014dc5bc6dc6nvdPatch
- git.kernel.org/stable/c/d666540d217e8d420544ebdfbadeedd623562733nvdPatch
- git.kernel.org/stable/c/e6b7943c5dc875647499da09bf4d50a8557ab0c3nvdPatch
- git.kernel.org/stable/c/f1a7a3ab0f35f83cf11bba906b9e948cf3788c28nvdPatch
News mentions
0No linked articles in our index yet.