Linux Kernel rxrpc: UAF Fix after skb_unshare() failure
CVE-2026-45998 Published on May 27, 2026
rxrpc: Fix potential UAF after skb_unshare() failure
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix potential UAF after skb_unshare() failure
If skb_unshare() fails to unshare a packet due to allocation failure in
rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread())
will be NULL'd out. This will likely cause the call to
trace_rxrpc_rx_done() to oops.
Fix this by moving the unsharing down to where rxrpc_input_call_event()
calls rxrpc_input_call_packet(). There are a number of places prior to
that where we ignore DATA packets for a variety of reasons (such as the
call already being complete) for which an unshare is then avoided.
And with that, rxrpc_input_packet() doesn't need to take a pointer to the
pointer to the packet, so change that to just a pointer.
Products Associated with CVE-2026-45998
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
Linux:- Version 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 and below e3bf143b1e98fb3d6d9e6825bcd683974d478e8c is affected.
- Version 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 and below bf20f46d94f1db38e6ffc0ca204a5fe0de01b495 is affected.
- Version 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 and below 996b0487b3cdda4c91811dbb1c9564626bc840bd is affected.
- Version 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 and below 8fde6296c4d4da2be7ab761305ab7f232b94eefd is affected.
- Version 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 and below 1f2740150f904bfa60e4bad74d65add3ccb5e7f8 is affected.
- Version 6.2 is affected.
- Before 6.2 is unaffected.
- Version 6.6.140, <= 6.6.* is unaffected.
- Version 6.12.86, <= 6.12.* is unaffected.
- Version 6.18.27, <= 6.18.* is unaffected.
- Version 7.0.4, <= 7.0.* is unaffected.
- Version 7.1-rc1, <= * is unaffected.