{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31638","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.125Z","datePublished":"2026-04-24T14:44:52.122Z","dateUpdated":"2026-05-11T22:12:41.037Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:12:41.037Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Only put the call ref if one was acquired\n\nrxrpc_input_packet_on_conn() can process a to-client packet after the\ncurrent client call on the channel has already been torn down.  In that\ncase chan->call is NULL, rxrpc_try_get_call() returns NULL and there is\nno reference to drop.\n\nThe client-side implicit-end error path does not account for that and\nunconditionally calls rxrpc_put_call().  This turns a protocol error\npath into a kernel crash instead of rejecting the packet.\n\nOnly drop the call reference if one was actually acquired.  Keep the\nexisting protocol error handling unchanged."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/rxrpc/io_thread.c"],"versions":[{"version":"5e6ef4f1017c7f844e305283bbd8875af475e2fc","lessThan":"b8f66447448d6c305a51413a67ec8ed26aa7d1dd","status":"affected","versionType":"git"},{"version":"5e6ef4f1017c7f844e305283bbd8875af475e2fc","lessThan":"0c156aff8a2d4fa0d61db7837641975cf0e5452d","status":"affected","versionType":"git"},{"version":"5e6ef4f1017c7f844e305283bbd8875af475e2fc","lessThan":"8299ca146489664e3c0c90a3b8900d8335b1ede4","status":"affected","versionType":"git"},{"version":"5e6ef4f1017c7f844e305283bbd8875af475e2fc","lessThan":"9fb09861e2b8d1abfe2efaf260c9f1d30080ea38","status":"affected","versionType":"git"},{"version":"5e6ef4f1017c7f844e305283bbd8875af475e2fc","lessThan":"6331f1b24a3e85465f6454e003a3e6c22005a5c5","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/rxrpc/io_thread.c"],"versions":[{"version":"6.2","status":"affected"},{"version":"0","lessThan":"6.2","status":"unaffected","versionType":"semver"},{"version":"6.6.135","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.82","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.23","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.13","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.135"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.12.82"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.18.23"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.19.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/b8f66447448d6c305a51413a67ec8ed26aa7d1dd"},{"url":"https://git.kernel.org/stable/c/0c156aff8a2d4fa0d61db7837641975cf0e5452d"},{"url":"https://git.kernel.org/stable/c/8299ca146489664e3c0c90a3b8900d8335b1ede4"},{"url":"https://git.kernel.org/stable/c/9fb09861e2b8d1abfe2efaf260c9f1d30080ea38"},{"url":"https://git.kernel.org/stable/c/6331f1b24a3e85465f6454e003a3e6c22005a5c5"}],"title":"rxrpc: Only put the call ref if one was acquired","x_generator":{"engine":"bippy-1.2.0"}}}}