GHSA-5VQJ-W88J-2624

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-04-24 15:32
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Only put the call ref if one was acquired

rxrpc_input_packet_on_conn() can process a to-client packet after the current client call on the channel has already been torn down. In that case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is no reference to drop.

The client-side implicit-end error path does not account for that and unconditionally calls rxrpc_put_call(). This turns a protocol error path into a kernel crash instead of rejecting the packet.

Only drop the call reference if one was actually acquired. Keep the existing protocol error handling unchanged.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-31638"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:43Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Only put the call ref if one was acquired\n\nrxrpc_input_packet_on_conn() can process a to-client packet after the\ncurrent client call on the channel has already been torn down.  In that\ncase chan-\u003ecall is NULL, rxrpc_try_get_call() returns NULL and there is\nno reference to drop.\n\nThe client-side implicit-end error path does not account for that and\nunconditionally calls rxrpc_put_call().  This turns a protocol error\npath into a kernel crash instead of rejecting the packet.\n\nOnly drop the call reference if one was actually acquired.  Keep the\nexisting protocol error handling unchanged.",
  "id": "GHSA-5vqj-w88j-2624",
  "modified": "2026-04-24T15:32:36Z",
  "published": "2026-04-24T15:32:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31638"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0c156aff8a2d4fa0d61db7837641975cf0e5452d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6331f1b24a3e85465f6454e003a3e6c22005a5c5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8299ca146489664e3c0c90a3b8900d8335b1ede4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9fb09861e2b8d1abfe2efaf260c9f1d30080ea38"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b8f66447448d6c305a51413a67ec8ed26aa7d1dd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.