Description
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial

In rxrpc_post_response(), the code should be comparing the challenge serial
number from the cached response before deciding to switch to a newer
response, but looks at the newer packet private data instead, rendering the
comparison always false.

Fix this by switching to look at the older packet.

Fix further[1] to substitute the new packet in place of the old one if
newer and also to release whichever we don't use.
Published: 2026-04-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service due to stale RxRPC responses
Action: Apply Patch
AI Analysis

Impact

In the Linux kernel’s rxrpc_post_response routine the code mistakenly compares the challenge serial number from a *cached* response against the newer packet’s private data, which makes the comparison always false. As a result, newer responses never replace older ones, so the kernel may continue to serve stale or incorrect data. This faulty logic can lead to inconsistent network state and can render an RxRPC service unresponsive, effectively causing a denial‑of‑service. The bug also involves improper handling of socket buffers. The older packet is not correctly released when a newer replacement is chosen, which creates a memory leak. The combination of stale data delivery and leaked memory constitutes the two CWE root causes that are reflected in the advisory. The vulnerability description does not explicitly state authentication bypass, so only the service disruption and memory leakage ramifications are supported by the official data.

Affected Systems

The flaw is present in any Linux kernel that contains the unpatched rxrpc implementation, including kernel 6.16 and all 7.0 release candidates from rc1 through rc7. Distributions that ship these kernel versions without the applied patch are affected.

Risk and Exploitability

The flaw is rated with a CVSS score of 7.5, placing it in the high severity range. Its EPSS score of less than 1% suggests that exploitation is currently unlikely, and it is not listed in the CISA KEV catalog. Although the description does not spell out an attack vector, it is inferred that an attacker would need to send specially crafted RxRPC packets over the network to trigger the code path. The low probability of exploitation combined with the potential for denial of service results in a moderate overall risk that still warrants timely remediation.

Generated by OpenCVE AI on April 29, 2026 at 01:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the rxrpc patch, which corrects the comparison logic and ensures that the old socket buffer is released to eliminate the memory‑leak condition (CWE‑1025 and CWE‑401).
  • If a kernel upgrade is not immediately possible, disable the RxRPC module or block RxRPC traffic (port 58659) with firewall rules to prevent external actors from reaching the vulnerable code path.
  • Verify that your kernel build configuration does not enable unused RxRPC features and monitor memory usage for unexpected leaks, ensuring that the patched release releases unused skbs as intended.

Generated by OpenCVE AI on April 29, 2026 at 01:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1025
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial In rxrpc_post_response(), the code should be comparing the challenge serial number from the cached response before deciding to switch to a newer response, but looks at the newer packet private data instead, rendering the comparison always false. Fix this by switching to look at the older packet. Fix further[1] to substitute the new packet in place of the old one if newer and also to release whichever we don't use.
Title rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:12:43.434Z

Reserved: 2026-03-09T15:48:24.125Z

Link: CVE-2026-31640

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:43.357

Modified: 2026-04-27T20:20:22.350

Link: CVE-2026-31640

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31640 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:45:26Z

Weaknesses