Description
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: only handle RESPONSE during service challenge

Only process RESPONSE packets while the service connection is still in
RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before
running response verification and security initialization, then use a local
secured flag to decide whether to queue the secured-connection work after
the state transition. This keeps duplicate or late RESPONSE packets from
re-running the setup path and removes the unlocked post-transition state
test.
Published: 2026-04-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the RXRPC subsystem incorrectly processes RESPONSE packets after a service challenge has ended. The flaw allows a malicious host to send duplicate or late RESPONSE frames that trigger the re‑execution of the connection‑setup routine, bypassing the normal secure‑initialization checks. The result is that the kernel can be forced to misconfigure or reset an RXRPC service channel, which may cause repeated resource consumption or misbehaving connections, effectively denying service to legitimate clients.

Affected Systems

Any Linux kernel that contains the unpatched RXRPC code is potentially affected, regardless of distribution. The advisory lists kernel commits that apply the fix; affected releases include any mainline kernel prior to the patch and the forthcoming stable series. System administrators should verify the current kernel version against the commit refs provided in the advisory.

Risk and Exploitability

The CVSS score of 7.5 classifies it as high severity. The EPSS probability is less than 1% indicating a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need network access to the target and the ability to craft specific RXRPC RESPONSE packets, so the vector is remote network. Because the flaw can lead to denial of service, the potential impact is availability degradation of affected services.

Generated by OpenCVE AI on May 6, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or upgrade to a kernel version that includes the fix, as referenced by the kernel commit log in the advisory.
  • If an immediate upgrade is not possible, block or filter untrusted RXRPC traffic at the perimeter by using firewall rules or access controls to limit exposure until the kernel is patched.
  • Monitor system logs for unexpected RXRPC activity or repeated service‑setup events and keep the kernel updated with the latest mainline or vendor patches.

Generated by OpenCVE AI on May 6, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-372
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 25 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.
Title rxrpc: only handle RESPONSE during service challenge
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:29.144Z

Reserved: 2026-03-09T15:48:24.130Z

Link: CVE-2026-31676

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-25T09:16:01.210

Modified: 2026-05-06T21:31:48.267

Link: CVE-2026-31676

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-25T00:00:00Z

Links: CVE-2026-31676 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:00:15Z

Weaknesses