{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31639","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.125Z","datePublished":"2026-04-24T14:44:52.769Z","dateUpdated":"2026-05-11T22:12:42.283Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:12:42.283Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix key reference count leak from call->key\n\nWhen creating a client call in rxrpc_alloc_client_call(), the code obtains\na reference to the key.  This is never cleaned up and gets leaked when the\ncall is destroyed.\n\nFix this by freeing call->key in rxrpc_destroy_call().\n\nBefore the patch, it shows the key reference counter elevated:\n\n$ cat /proc/keys | grep afs@54321\n1bffe9cd I--Q--i 8053480 4169w 3b010000  1000  1000 rxrpc     afs@54321: ka\n$\n\nAfter the patch, the invalidated key is removed when the code exits:\n\n$ cat /proc/keys | grep afs@54321\n$"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/rxrpc/call_object.c"],"versions":[{"version":"f3441d4125fc98995858550a5521b8d7daf0504a","lessThan":"f1a7a3ab0f35f83cf11bba906b9e948cf3788c28","status":"affected","versionType":"git"},{"version":"f3441d4125fc98995858550a5521b8d7daf0504a","lessThan":"e6b7943c5dc875647499da09bf4d50a8557ab0c3","status":"affected","versionType":"git"},{"version":"f3441d4125fc98995858550a5521b8d7daf0504a","lessThan":"2e6ef713b1598f6acd7f302fa6b12b6731c89914","status":"affected","versionType":"git"},{"version":"f3441d4125fc98995858550a5521b8d7daf0504a","lessThan":"978108902ee4ef2b348ff7ec36ad014dc5bc6dc6","status":"affected","versionType":"git"},{"version":"f3441d4125fc98995858550a5521b8d7daf0504a","lessThan":"d666540d217e8d420544ebdfbadeedd623562733","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/rxrpc/call_object.c"],"versions":[{"version":"6.2","status":"affected"},{"version":"0","lessThan":"6.2","status":"unaffected","versionType":"semver"},{"version":"6.6.135","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.82","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.23","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.13","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.135"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.12.82"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.18.23"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.19.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/f1a7a3ab0f35f83cf11bba906b9e948cf3788c28"},{"url":"https://git.kernel.org/stable/c/e6b7943c5dc875647499da09bf4d50a8557ab0c3"},{"url":"https://git.kernel.org/stable/c/2e6ef713b1598f6acd7f302fa6b12b6731c89914"},{"url":"https://git.kernel.org/stable/c/978108902ee4ef2b348ff7ec36ad014dc5bc6dc6"},{"url":"https://git.kernel.org/stable/c/d666540d217e8d420544ebdfbadeedd623562733"}],"title":"rxrpc: Fix key reference count leak from call->key","x_generator":{"engine":"bippy-1.2.0"}}}}