Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Only put the call ref if one was acquired rxrpc_input_packet_on_conn() can process a to-client packet after the current client call on the channel has already been torn down. In that case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is no reference to drop. The client-side implicit-end error path does not account for that and unconditionally calls rxrpc_put_call(). This turns a protocol error path into a kernel crash instead of rejecting the packet. Only drop the call reference if one was actually acquired. Keep the existing protocol error handling unchanged.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 6.2.1, < 6.6.135 |
Related Weaknesses (CWE)
References
- https://git.kernel.org/stable/c/0c156aff8a2d4fa0d61db7837641975cf0e5452dPatch
- https://git.kernel.org/stable/c/6331f1b24a3e85465f6454e003a3e6c22005a5c5Patch
- https://git.kernel.org/stable/c/8299ca146489664e3c0c90a3b8900d8335b1ede4Patch
- https://git.kernel.org/stable/c/9fb09861e2b8d1abfe2efaf260c9f1d30080ea38Patch
- https://git.kernel.org/stable/c/b8f66447448d6c305a51413a67ec8ed26aa7d1ddPatch
FAQ
What is CVE-2026-31638?
CVE-2026-31638 is a vulnerability with a CVSS score of 7.5 (HIGH). In the Linux kernel, the following vulnerability has been resolved: rxrpc: Only put the call ref if one was acquired rxrpc_input_packet_on_conn() can process a to-client packet after the current cli...
How severe is CVE-2026-31638?
CVE-2026-31638 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-31638?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel.