Description
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix recvmsg() unconditional requeue

If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at
the front of the recvmsg queue already has its mutex locked, it requeues
the call - whether or not the call is already queued. The call may be on
the queue because MSG_PEEK was also passed and so the call was not dequeued
or because the I/O thread requeued it.

The unconditional requeue may then corrupt the recvmsg queue, leading to
things like UAFs or refcount underruns.

Fix this by only requeuing the call if it isn't already on the queue - and
moving it to the front if it is already queued. If we don't queue it, we
have to put the ref we obtained by dequeuing it.

Also, MSG_PEEK doesn't dequeue the call so shouldn't call
rxrpc_notify_socket() for the call if we didn't use up all the data on the
queue, so fix that also.
Published: 2026-02-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential kernel memory corruption that may lead to remote code execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Linux kernel's rxrpc implementation causes the recvmsg() routine to requeue a request unconditionally when the MSG_DONTWAIT flag is specified and the mutex for the front of the queue is already locked. This logic can corrupt the recvmsg queue, resulting in use‑after‑free or reference‑count underrun bugs that an attacker could exploit to execute arbitrary code in kernel context. Based on the description, it is inferred that an attacker might potentially exploit this vulnerability to execute arbitrary code in kernel context. The vulnerability arises when the queue contains a request from a previous MSG_PEEK operation or an I/O thread that has already requeued it, and the function proceeds to requeue it again regardless of its current state.

Affected Systems

Linux kernel versions 6.19 rc1 through rc6 are affected; any system running these release candidates would be vulnerable. No other vendor or commercial kernel versions are listed as impacted.

Risk and Exploitability

The CVSS score of 7.8 classifies this as a High‑severity flaw, while the EPSS score of less than 1% indicates a very low current exploitation probability. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that an attacker would need to run a program that opens an rxrpc socket with MSG_DONTWAIT and possibly MSG_PEEK to trigger the requeue logic. Based on the description, it is inferred that if exploited, the impact could be system‑wide compromise.

Generated by OpenCVE AI on April 16, 2026 at 06:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch that fixes the unconditional requeue bug in rxrpc_recvmsg
  • Upgrade the system to a Linux kernel version newer than 6.19 rc6 (i.e., rc7 or a stable release that contains the fix)
  • If upgrading is not immediately possible, restrict or disable the use of rxrpc sockets in applications that can specify MSG_DONTWAIT or MSG_PEEK

Generated by OpenCVE AI on April 16, 2026 at 06:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
References

Fri, 13 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-674
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 05 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg() unconditional requeue If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at the front of the recvmsg queue already has its mutex locked, it requeues the call - whether or not the call is already queued. The call may be on the queue because MSG_PEEK was also passed and so the call was not dequeued or because the I/O thread requeued it. The unconditional requeue may then corrupt the recvmsg queue, leading to things like UAFs or refcount underruns. Fix this by only requeuing the call if it isn't already on the queue - and moving it to the front if it is already queued. If we don't queue it, we have to put the ref we obtained by dequeuing it. Also, MSG_PEEK doesn't dequeue the call so shouldn't call rxrpc_notify_socket() for the call if we didn't use up all the data on the queue, so fix that also.
Title rxrpc: Fix recvmsg() unconditional requeue
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T13:31:50.977Z

Reserved: 2026-01-13T15:37:45.954Z

Link: CVE-2026-23066

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-04T17:16:17.303

Modified: 2026-04-03T14:16:22.383

Link: CVE-2026-23066

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23066 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:00:11Z

Weaknesses