CVE-2026-31639 - Vulnerability Details

- rxrpc: Fix key reference count leak from call->key

Description

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix key reference count leak from call->key

When creating a client call in rxrpc_alloc_client_call(), the code obtains
a reference to the key. This is never cleaned up and gets leaked when the
call is destroyed.

Fix this by freeing call->key in rxrpc_destroy_call().

Before the patch, it shows the key reference counter elevated:

$ cat /proc/keys | grep afs@54321
1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka
$

After the patch, the invalidated key is removed when the code exits:

$ cat /proc/keys | grep afs@54321
$

Published: 2026-04-24

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Linux kernel’s rxrpc subsystem. When a client call is allocated, the code increments the reference count of the associated key but never decrements it upon call destruction, causing a reference count leak. The leaked key remains visible in /proc/keys, and over time the kernel key table can grow, potentially exhausting kernel resources and degrading system stability. This weakness is a classic reference‑count management flaw, identified as CWE-911, and the CVE is also tagged with NVD‑CWE‑Other, indicating an additional unspecified weakness.

Affected Systems

Affected systems include any Linux kernel that incorporates the rxrpc client implementation prior to the patch, specifically kernels 6.2 and the 7.0 release candidates through rc7. All variants declared in the CPE list (linux_kernel) are vulnerable until the fix is applied.

Risk and Exploitability

The CVSS score of 5.5 classifies the risk as moderate, while an EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be local or dependent on services that use rxrpc; the leak does not provide direct code execution or remote privilege escalation, but could be leveraged to exhaust the kernel key table. Users should consider the patch as the preferred remediation, and monitor for anomalous key growth if a patch cannot be immediately applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`f3441d4125fc98995858550a5521b8d7daf0504a`	affected	< f1a7a3ab0f35f83cf11bba906b9e948cf3788c28
`f3441d4125fc98995858550a5521b8d7daf0504a`	affected	< e6b7943c5dc875647499da09bf4d50a8557ab0c3
`f3441d4125fc98995858550a5521b8d7daf0504a`	affected	< 2e6ef713b1598f6acd7f302fa6b12b6731c89914
`f3441d4125fc98995858550a5521b8d7daf0504a`	affected	< 978108902ee4ef2b348ff7ec36ad014dc5bc6dc6
`f3441d4125fc98995858550a5521b8d7daf0504a`	affected	< d666540d217e8d420544ebdfbadeedd623562733

Linux

affected

Version	Status	Constraints
`6.2`	affected	—
`0`	unaffected	< 6.2
`6.6.135`	unaffected	≤ 6.6.*
`6.12.82`	unaffected	≤ 6.12.*
`6.18.23`	unaffected	≤ 6.18.*
`6.19.13`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.2:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[f3441d4125fc98995858550a5521b8d7daf0504a,f1a7a3ab0f35f83cf11bba906b9e948cf3788c28)`	affected	code_commit	—
`[f3441d4125fc98995858550a5521b8d7daf0504a,e6b7943c5dc875647499da09bf4d50a8557ab0c3)`	affected	code_commit	—
`[f3441d4125fc98995858550a5521b8d7daf0504a,2e6ef713b1598f6acd7f302fa6b12b6731c89914)`	affected	code_commit	—
`[f3441d4125fc98995858550a5521b8d7daf0504a,978108902ee4ef2b348ff7ec36ad014dc5bc6dc6)`	affected	code_commit	—
`[f3441d4125fc98995858550a5521b8d7daf0504a,d666540d217e8d420544ebdfbadeedd623562733)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.2`	affected	generic	—
`[0,6.2)`	unaffected	generic	—
`[6.6.135,6.7.0)`	unaffected	semver	—
`[6.12.82,6.13.0)`	unaffected	semver	—
`[6.18.23,6.19.0)`	unaffected	semver	—
`[6.19.13,7.0.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the patch that releases call->key in rxrpc_destroy_call().
Upgrade the kernel to a version that includes the fix (e.g., any 6.2 or 7.0 rc releases after the commit).
If an immediate kernel upgrade is not possible, disable the rxrpc protocol or restrict its use until the patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2e6ef713b1598f6acd7f302fa6b12b6731c89914
https://git.kernel.org/stable/c/978108902ee4ef2b348ff7ec36ad014dc5bc6dc6
https://git.kernel.org/stable/c/d666540d217e8d420544ebdfbadeedd623562733
https://git.kernel.org/stable/c/e6b7943c5dc875647499da09bf4d50a8557ab0c3
https://git.kernel.org/stable/c/f1a7a3ab0f35f83cf11bba906b9e948cf3788c28
https://lore.kernel.org/linux-cve-announce/2026042456-CVE-2026-31639-ef94@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31639
https://www.cve.org/CVERecord?id=CVE-2026-31639

History

Tue, 28 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-911
References		https://lore.kernel.org/linux-cve-announce/2026042456-CVE-2026-31639-ef94@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31639 https://www.cve.org/CVERecord?id=CVE-2026-31639
Metrics	threat_severity `None`	threat_severity `Low`

Mon, 27 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:o:linux:linux_kernel:6.2:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix key reference count leak from call->key When creating a client call in rxrpc_alloc_client_call(), the code obtains a reference to the key. This is never cleaned up and gets leaked when the call is destroyed. Fix this by freeing call->key in rxrpc_destroy_call(). Before the patch, it shows the key reference counter elevated: $ cat /proc/keys \| grep afs@54321 1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka $ After the patch, the invalidated key is removed when the code exits: $ cat /proc/keys \| grep afs@54321 $
Title		rxrpc: Fix key reference count leak from call->key
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2e6ef713b1598f6acd7f302fa6b12b6731c89914 https://git.kernel.org/stable/c/978108902ee4ef2b348ff7ec36ad014dc5bc6dc6 https://git.kernel.org/stable/c/d666540d217e8d420544ebdfbadeedd623562733 https://git.kernel.org/stable/c/e6b7943c5dc875647499da09bf4d50a8557ab0c3 https://git.kernel.org/stable/c/f1a7a3ab0f35f83cf11bba906b9e948cf3788c28

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:44:52.769Z

Updated: 2026-05-11T22:12:42.283Z

Reserved: 2026-03-09T15:48:24.125Z

Link: CVE-2026-31639

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:43.240

Modified: 2026-04-27T20:20:27.680

Link: CVE-2026-31639

Redhat

Severity : Low

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31639 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T14:00:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object