CVE-2026-45998
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix potential UAF after skb_unshare() failure
If skb_unshare() fails to unshare a packet due to allocation failure in rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread()) will be NULL'd out. This will likely cause the call to trace_rxrpc_rx_done() to oops.
Fix this by moving the unsharing down to where rxrpc_input_call_event() calls rxrpc_input_call_packet(). There are a number of places prior to that where we ignore DATA packets for a variety of reasons (such as the call already being complete) for which an unshare is then avoided.
And with that, rxrpc_input_packet() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 < e3bf143b1e98fb3d6d9e6825bcd683974d478e8c | affected |
| Linux | Linux | 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 < bf20f46d94f1db38e6ffc0ca204a5fe0de01b495 | affected |
| Linux | Linux | 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 < 996b0487b3cdda4c91811dbb1c9564626bc840bd | affected |
| Linux | Linux | 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 < 8fde6296c4d4da2be7ab761305ab7f232b94eefd | affected |
| Linux | Linux | 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 < 1f2740150f904bfa60e4bad74d65add3ccb5e7f8 | affected |
| Linux | Linux | 6.2 | affected |
| Linux | Linux | 0 < 6.2 | unaffected |
| Linux | Linux | 6.6.140 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.86 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.27 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.4 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
ADP Enrichment
kernel: rxrpc: Fix potential UAF after skb_unshare() failure
Additional References
- https://access.redhat.com/security/cve/CVE-2026-45998
- https://bugzilla.redhat.com/show_bug.cgi?id=2482024
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45998.json
- https://access.redhat.com/errata/RHSA-2026:34911
References
- https://git.kernel.org/stable/c/e3bf143b1e98fb3d6d9e6825bcd683974d478e8c
- https://git.kernel.org/stable/c/bf20f46d94f1db38e6ffc0ca204a5fe0de01b495
- https://git.kernel.org/stable/c/996b0487b3cdda4c91811dbb1c9564626bc840bd
- https://git.kernel.org/stable/c/8fde6296c4d4da2be7ab761305ab7f232b94eefd
- https://git.kernel.org/stable/c/1f2740150f904bfa60e4bad74d65add3ccb5e7f8
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.