{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31638", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.125Z", "datePublished": "2026-04-24T14:44:52.122Z", "dateUpdated": "2026-05-11T22:12:41.037Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:12:41.037Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Only put the call ref if one was acquired\n\nrxrpc_input_packet_on_conn() can process a to-client packet after the\ncurrent client call on the channel has already been torn down. In that\ncase chan->call is NULL, rxrpc_try_get_call() returns NULL and there is\nno reference to drop.\n\nThe client-side implicit-end error path does not account for that and\nunconditionally calls rxrpc_put_call(). This turns a protocol error\npath into a kernel crash instead of rejecting the packet.\n\nOnly drop the call reference if one was actually acquired. Keep the\nexisting protocol error handling unchanged."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/rxrpc/io_thread.c"], "versions": [{"version": "5e6ef4f1017c7f844e305283bbd8875af475e2fc", "lessThan": "b8f66447448d6c305a51413a67ec8ed26aa7d1dd", "status": "affected", "versionType": "git"}, {"version": "5e6ef4f1017c7f844e305283bbd8875af475e2fc", "lessThan": "0c156aff8a2d4fa0d61db7837641975cf0e5452d", "status": "affected", "versionType": "git"}, {"version": "5e6ef4f1017c7f844e305283bbd8875af475e2fc", "lessThan": "8299ca146489664e3c0c90a3b8900d8335b1ede4", "status": "affected", "versionType": "git"}, {"version": "5e6ef4f1017c7f844e305283bbd8875af475e2fc", "lessThan": "9fb09861e2b8d1abfe2efaf260c9f1d30080ea38", "status": "affected", "versionType": "git"}, {"version": "5e6ef4f1017c7f844e305283bbd8875af475e2fc", "lessThan": "6331f1b24a3e85465f6454e003a3e6c22005a5c5", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/rxrpc/io_thread.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b8f66447448d6c305a51413a67ec8ed26aa7d1dd"}, {"url": "https://git.kernel.org/stable/c/0c156aff8a2d4fa0d61db7837641975cf0e5452d"}, {"url": "https://git.kernel.org/stable/c/8299ca146489664e3c0c90a3b8900d8335b1ede4"}, {"url": "https://git.kernel.org/stable/c/9fb09861e2b8d1abfe2efaf260c9f1d30080ea38"}, {"url": "https://git.kernel.org/stable/c/6331f1b24a3e85465f6454e003a3e6c22005a5c5"}], "title": "rxrpc: Only put the call ref if one was acquired", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8AD2A-FCEB-42B6-8B79-66822D8E7C37", "versionEndExcluding": "6.6.135", "versionStartIncluding": "6.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307", "versionEndExcluding": "6.12.82", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F", "versionEndExcluding": "6.18.23", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*", "matchCriteriaId": "3ADCCCEE-143A-4B48-9B2A-0CB97BD385DE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Only put the call ref if one was acquired\n\nrxrpc_input_packet_on_conn() can process a to-client packet after the\ncurrent client call on the channel has already been torn down. In that\ncase chan->call is NULL, rxrpc_try_get_call() returns NULL and there is\nno reference to drop.\n\nThe client-side implicit-end error path does not account for that and\nunconditionally calls rxrpc_put_call(). This turns a protocol error\npath into a kernel crash instead of rejecting the packet.\n\nOnly drop the call reference if one was actually acquired. Keep the\nexisting protocol error handling unchanged."}], "id": "CVE-2026-31638", "lastModified": "2026-04-27T20:20:36.597", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:43.127", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0c156aff8a2d4fa0d61db7837641975cf0e5452d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6331f1b24a3e85465f6454e003a3e6c22005a5c5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8299ca146489664e3c0c90a3b8900d8335b1ede4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9fb09861e2b8d1abfe2efaf260c9f1d30080ea38"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b8f66447448d6c305a51413a67ec8ed26aa7d1dd"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: rxrpc: Only put the call ref if one was acquired", "id": "2461542", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461542"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel's rxrpc subsystem. This vulnerability occurs when the system processes a packet intended for a client after the client's call on the channel has already been terminated. An attacker could exploit this protocol error path, which improperly handles call references, to trigger a kernel crash, leading to a Denial of Service (DoS)."], "name": "CVE-2026-31638", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31638\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31638\nhttps://lore.kernel.org/linux-cve-announce/2026042456-CVE-2026-31638-e40c@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e6ef4f1017c7f844e305283bbd8875af475e2fc,b8f66447448d6c305a51413a67ec8ed26aa7d1dd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e6ef4f1017c7f844e305283bbd8875af475e2fc,0c156aff8a2d4fa0d61db7837641975cf0e5452d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e6ef4f1017c7f844e305283bbd8875af475e2fc,8299ca146489664e3c0c90a3b8900d8335b1ede4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e6ef4f1017c7f844e305283bbd8875af475e2fc,9fb09861e2b8d1abfe2efaf260c9f1d30080ea38)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e6ef4f1017c7f844e305283bbd8875af475e2fc,6331f1b24a3e85465f6454e003a3e6c22005a5c5)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.2"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.135,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.82,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.23,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.13,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T23:37:03.854514+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel patch that removes the unconditional call to rxrpc_put_call(), ensuring the reference is only decremented when a call was actually obtained.", "If the kernel cannot be updated immediately, restrict network access to the rxrpc protocol by configuring a firewall or disabling the rxrpc socket service on the system.", "After the patch or configuration change, reboot the system to ensure the crash path is removed and verify that the kernel exits without panic episodes."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via Kernel Crash"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Linux kernel builds that include the vulnerable rxrpc code. The supplied CPE list covers the generic kernel and specific releases 6.2 and 7.0 release candidates (rc1 through rc7). Any system running an affected version of the Linux kernel is at risk.", "description_and_impact": "In the Linux kernel, a null\u2011pointer dereference is introduced in the rxrpc subsystem. When the kernel processes a to\u2011client packet after the associated client call on a channel has been torn down, the code incorrectly attempts to drop a call reference that was never acquired. This unconditionally invokes a reference release on a NULL pointer, which triggers a kernel panic. The fault results in an immediate loss of availability for the affected system.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity denial\u2011of\u2011service risk. The EPSS score of less than 1\u202f% suggests that exploitation is currently rare, and the vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Because rxrpc is a kernel\u2011level RPC protocol, the likely attack vector is a network attacker sending a crafted packet to the kernel. An attacker would need to connect over the rxrpc socket or otherwise inject a bad packet directed at the vulnerable channel. The impact is a kernel crash that brings down the host, though no elevation of privilege or data theft is described."}}}}, "created": "2026-04-27T18:45:11.322333+00:00", "updated": "2026-04-28T23:45:16.052937+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}