CVE-2026-31638

Summary

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Only put the call ref if one was acquired

rxrpc_input_packet_on_conn() can process a to-client packet after the current client call on the channel has already been torn down. In that case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is no reference to drop.

The client-side implicit-end error path does not account for that and unconditionally calls rxrpc_put_call(). This turns a protocol error path into a kernel crash instead of rejecting the packet.

Only drop the call reference if one was actually acquired. Keep the existing protocol error handling unchanged.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux5e6ef4f1017c7f844e305283bbd8875af475e2fc < b8f66447448d6c305a51413a67ec8ed26aa7d1ddaffected
LinuxLinux5e6ef4f1017c7f844e305283bbd8875af475e2fc < 0c156aff8a2d4fa0d61db7837641975cf0e5452daffected
LinuxLinux5e6ef4f1017c7f844e305283bbd8875af475e2fc < 8299ca146489664e3c0c90a3b8900d8335b1ede4affected
LinuxLinux5e6ef4f1017c7f844e305283bbd8875af475e2fc < 9fb09861e2b8d1abfe2efaf260c9f1d30080ea38affected
LinuxLinux5e6ef4f1017c7f844e305283bbd8875af475e2fc < 6331f1b24a3e85465f6454e003a3e6c22005a5c5affected
LinuxLinux6.2affected
LinuxLinux0 < 6.2unaffected
LinuxLinux6.6.135 <= 6.6.*unaffected
LinuxLinux6.12.82 <= 6.12.*unaffected
LinuxLinux6.18.23 <= 6.18.*unaffected
LinuxLinux6.19.13 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References