CVE-2026-31676
Description
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: only handle RESPONSE during service challenge
Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's AF_RXRPC, a lack of state locking in service challenge handling allows duplicate RESPONSE packets to trigger re-run of security setup, potentially leading to denial of service.
Vulnerability
In the Linux kernel's AF_RXRPC protocol implementation, a flaw in service connection handling permits duplicate or late RESPONSE packets to re-run the security initialization path. The code previously did not check the connection state under the state_lock before processing RESPONSE packets, so packets arriving after the connection had transitioned out of the RXRPC_CONN_SERVICE_CHALLENGING state could still trigger response verification and security setup [1].
Exploitation
An attacker able to send crafted AF_RXRPC packets to a service endpoint could exploit this race condition. By sending multiple or timely RESPONSE packets, the security initialization routine could be executed multiple times, leading to repeated queuing of secured-connection work and potential state corruption [2].
Impact
Re-running the setup path may cause resource exhaustion, inconsistent connection state, or denial of service. The vulnerability is rated High (CVSS 7.5) by the vendor, indicating significant availability impact. While the description does not confirm privilege escalation, the re-initialization of security could bypass normal state transitions [3].
Mitigation
The fix adds a state check under state_lock and uses a local secured flag to prevent duplicate processing. The patch has been backported to multiple stable kernel releases via commits [1], [2], [3], and [4]. Users should update their kernels to include these fixes.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9(expand)+ 8 more
- (no CPE)
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.22,<6.6.136
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/03fd2ef73cb4ffd0af100a95b634af54f474414envdPatch
- git.kernel.org/stable/c/29b44d904dceb832be880def08b8cb17a0aba91cnvdPatch
- git.kernel.org/stable/c/a6bcf8010af093fe04f7100562e9542ab7882585nvdPatch
- git.kernel.org/stable/c/c43ffdcfdbb5567b1f143556df8a04b4eeea041cnvdPatch
- git.kernel.org/stable/c/d0035e634dae83237ab7f5681eb52b2f65d0ceb8nvdPatch
News mentions
0No linked articles in our index yet.