CVE-2026-45870
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths
The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() functions allocate memory via gssx_dec_buffer(), which calls kmemdup(). When a subsequent decode operation fails, these functions return immediately without freeing previously allocated buffers, causing memory leaks.
The leak in gssx_dec_ctx() is particularly relevant because the caller (gssp_accept_sec_context_upcall) initializes several buffer length fields to non-zero values, resulting in memory allocation:
struct gssx_ctx rctxh = {
.exported_context_token.len = GSSX_max_output_handle_sz,
.mech.len = GSS_OID_MAX_LEN,
.src_name.display_name.len = GSSX_max_princ_sz,
.targ_name.display_name.len = GSSX_max_princ_sz
};
If, for example, gssx_dec_name() succeeds for src_name but fails for targ_name, the memory allocated for exported_context_token, mech, and src_name.display_name remains unreferenced and cannot be reclaimed.
Add error handling with goto-based cleanup to free any previously allocated buffers before returning an error.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 1d658336b05f8697d6445834f8867f8ad5e4f735 < c81431b1b9fbd21e9a5a9211b5517b7295d18e6a | affected |
| Linux | Linux | 1d658336b05f8697d6445834f8867f8ad5e4f735 < caf7eff432e91a9eba1c79fa545c2f54be15d62b | affected |
| Linux | Linux | 1d658336b05f8697d6445834f8867f8ad5e4f735 < 64303b92d94c0c7845a273acd8d84b796d6f1db7 | affected |
| Linux | Linux | 1d658336b05f8697d6445834f8867f8ad5e4f735 < df10f23defff22c8d55fe6db74f6e4ce927145bf | affected |
| Linux | Linux | 1d658336b05f8697d6445834f8867f8ad5e4f735 < b4af3806846778799cd4ab0766dc18341e777264 | affected |
| Linux | Linux | 1d658336b05f8697d6445834f8867f8ad5e4f735 < d79b9097a6a2b91471b40755f1225364be5d85ff | affected |
| Linux | Linux | 1d658336b05f8697d6445834f8867f8ad5e4f735 < 3b56eb90feb8a3709417f5624f3871847d42bcb1 | affected |
| Linux | Linux | 1d658336b05f8697d6445834f8867f8ad5e4f735 < 3e6397b056335cc56ef0e9da36c95946a19f5118 | affected |
| Linux | Linux | 3.10 | affected |
| Linux | Linux | 0 < 3.10 | unaffected |
| Linux | Linux | 5.10.252 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.202 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.165 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.128 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.75 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.14 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.4 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/c81431b1b9fbd21e9a5a9211b5517b7295d18e6a
- https://git.kernel.org/stable/c/caf7eff432e91a9eba1c79fa545c2f54be15d62b
- https://git.kernel.org/stable/c/64303b92d94c0c7845a273acd8d84b796d6f1db7
- https://git.kernel.org/stable/c/df10f23defff22c8d55fe6db74f6e4ce927145bf
- https://git.kernel.org/stable/c/b4af3806846778799cd4ab0766dc18341e777264
- https://git.kernel.org/stable/c/d79b9097a6a2b91471b40755f1225364be5d85ff
- https://git.kernel.org/stable/c/3b56eb90feb8a3709417f5624f3871847d42bcb1
- https://git.kernel.org/stable/c/3e6397b056335cc56ef0e9da36c95946a19f5118
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.