Linux Kernel: rxrpc Implicit-End Error Path Causes Kernel Crash
CVE-2026-31638 Published on April 24, 2026
rxrpc: Only put the call ref if one was acquired
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Only put the call ref if one was acquired
rxrpc_input_packet_on_conn() can process a to-client packet after the
current client call on the channel has already been torn down. In that
case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is
no reference to drop.
The client-side implicit-end error path does not account for that and
unconditionally calls rxrpc_put_call(). This turns a protocol error
path into a kernel crash instead of rejecting the packet.
Only drop the call reference if one was actually acquired. Keep the
existing protocol error handling unchanged.
Products Associated with CVE-2026-31638
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 5e6ef4f1017c7f844e305283bbd8875af475e2fc and below b8f66447448d6c305a51413a67ec8ed26aa7d1dd is affected.
- Version 5e6ef4f1017c7f844e305283bbd8875af475e2fc and below 0c156aff8a2d4fa0d61db7837641975cf0e5452d is affected.
- Version 5e6ef4f1017c7f844e305283bbd8875af475e2fc and below 8299ca146489664e3c0c90a3b8900d8335b1ede4 is affected.
- Version 5e6ef4f1017c7f844e305283bbd8875af475e2fc and below 9fb09861e2b8d1abfe2efaf260c9f1d30080ea38 is affected.
- Version 5e6ef4f1017c7f844e305283bbd8875af475e2fc and below 6331f1b24a3e85465f6454e003a3e6c22005a5c5 is affected.
- Version 6.2 is affected.
- Before 6.2 is unaffected.
- Version 6.6.135, <= 6.6.* is unaffected.
- Version 6.12.82, <= 6.12.* is unaffected.
- Version 6.18.23, <= 6.18.* is unaffected.
- Version 6.19.13, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.