Description
In the Linux kernel, the following vulnerability has been resolved:

sunrpc: fix cache_request leak in cache_release

When a reader's file descriptor is closed while in the middle of reading
a cache_request (rp->offset != 0), cache_release() decrements the
request's readers count but never checks whether it should free the
request.

In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the
cache_request is removed from the queue and freed along with its buffer
and cache_head reference. cache_release() lacks this cleanup.

The only other path that frees requests with readers == 0 is
cache_dequeue(), but it runs only when CACHE_PENDING transitions from
set to clear. If that transition already happened while readers was
still non-zero, cache_dequeue() will have skipped the request, and no
subsequent call will clean it up.

Add the same cleanup logic from cache_read() to cache_release(): after
decrementing readers, check if it reached 0 with CACHE_PENDING clear,
and if so, dequeue and free the cache_request.
Published: 2026-04-03
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: Memory Leak causing potential denial of service
Action: Patch immediately
AI Analysis

Impact

A defect in the Linux kernel’s sunrpc subsystem prevents proper cleanup of a cache_request object when a client’s file descriptor is closed during a read. The bug allows the request object to remain allocated when the active reader count drops to zero and the pending flag is cleared, leading to a memory leak in the kernel. Repeated occurrence could cause kernel memory exhaustion, reducing system responsiveness or forcing a reboot.

Affected Systems

This issue applies to all Linux kernel versions that lack the recent commit correcting the cache_release cleanup logic. No specific distribution or kernel series is listed, so the vulnerability is potentially present in any unpatched system that has a kernel older than the patch. Administrators should verify that the running kernel includes the commit that adds the missing cleanup in cache_release.

Risk and Exploitability

The flaw does not provide an obvious remote code execution path and is limited to local users or those able to execute kernel modules. Because no EPSS score is available and the vulnerability is not catalogued in CISA’s Known Exploited Vulnerabilities list, widespread exploitation is unlikely. However, an attacker with local access could repeatedly trigger the scenario, progressively draining kernel memory and potentially causing a denial of service. The risk is moderate, mainly due to the impact on availability rather than confidentiality or integrity.

Generated by OpenCVE AI on April 3, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the cache_release cleanup commit.
  • Verify the current kernel reflects the patch by checking the commit history or kernel version string.
  • If a patch cannot be applied immediately, monitor system memory usage for abnormal growth and consider disabling SunRPC services until the kernel is updated.
  • Apply any vendor-provided security updates or builds that incorporate the fast track fix.

Generated by OpenCVE AI on April 3, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-762

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix cache_request leak in cache_release When a reader's file descriptor is closed while in the middle of reading a cache_request (rp->offset != 0), cache_release() decrements the request's readers count but never checks whether it should free the request. In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the cache_request is removed from the queue and freed along with its buffer and cache_head reference. cache_release() lacks this cleanup. The only other path that frees requests with readers == 0 is cache_dequeue(), but it runs only when CACHE_PENDING transitions from set to clear. If that transition already happened while readers was still non-zero, cache_dequeue() will have skipped the request, and no subsequent call will clean it up. Add the same cleanup logic from cache_read() to cache_release(): after decrementing readers, check if it reached 0 with CACHE_PENDING clear, and if so, dequeue and free the cache_request.
Title sunrpc: fix cache_request leak in cache_release
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T15:16:03.906Z

Reserved: 2026-03-09T15:48:24.086Z

Link: CVE-2026-31400

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:38.623

Modified: 2026-04-03T16:16:38.623

Link: CVE-2026-31400

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31400 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:26Z

Weaknesses