Description
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Only put the call ref if one was acquired

rxrpc_input_packet_on_conn() can process a to-client packet after the
current client call on the channel has already been torn down. In that
case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is
no reference to drop.

The client-side implicit-end error path does not account for that and
unconditionally calls rxrpc_put_call(). This turns a protocol error
path into a kernel crash instead of rejecting the packet.

Only drop the call reference if one was actually acquired. Keep the
existing protocol error handling unchanged.
Published: 2026-04-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Kernel Crash
Action: Immediate Patch
AI Analysis

Impact

In the Linux kernel, a null‑pointer dereference is introduced in the rxrpc subsystem. When the kernel processes a to‑client packet after the associated client call on a channel has been torn down, the code incorrectly attempts to drop a call reference that was never acquired. This unconditionally invokes a reference release on a NULL pointer, which triggers a kernel panic. The fault results in an immediate loss of availability for the affected system.

Affected Systems

The vulnerability affects all Linux kernel builds that include the vulnerable rxrpc code. The supplied CPE list covers the generic kernel and specific releases 6.2 and 7.0 release candidates (rc1 through rc7). Any system running an affected version of the Linux kernel is at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity denial‑of‑service risk. The EPSS score of less than 1 % suggests that exploitation is currently rare, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Because rxrpc is a kernel‑level RPC protocol, the likely attack vector is a network attacker sending a crafted packet to the kernel. An attacker would need to connect over the rxrpc socket or otherwise inject a bad packet directed at the vulnerable channel. The impact is a kernel crash that brings down the host, though no elevation of privilege or data theft is described.

Generated by OpenCVE AI on April 28, 2026 at 23:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel patch that removes the unconditional call to rxrpc_put_call(), ensuring the reference is only decremented when a call was actually obtained.
  • If the kernel cannot be updated immediately, restrict network access to the rxrpc protocol by configuring a firewall or disabling the rxrpc socket service on the system.
  • After the patch or configuration change, reboot the system to ensure the crash path is removed and verify that the kernel exits without panic episodes.

Generated by OpenCVE AI on April 28, 2026 at 23:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rxrpc: Only put the call ref if one was acquired rxrpc_input_packet_on_conn() can process a to-client packet after the current client call on the channel has already been torn down. In that case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is no reference to drop. The client-side implicit-end error path does not account for that and unconditionally calls rxrpc_put_call(). This turns a protocol error path into a kernel crash instead of rejecting the packet. Only drop the call reference if one was actually acquired. Keep the existing protocol error handling unchanged.
Title rxrpc: Only put the call ref if one was acquired
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:12:41.037Z

Reserved: 2026-03-09T15:48:24.125Z

Link: CVE-2026-31638

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:43.127

Modified: 2026-04-27T20:20:36.597

Link: CVE-2026-31638

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31638 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:45:16Z

Weaknesses