Description
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix potential UAF after skb_unshare() failure

If skb_unshare() fails to unshare a packet due to allocation failure in
rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread())
will be NULL'd out. This will likely cause the call to
trace_rxrpc_rx_done() to oops.

Fix this by moving the unsharing down to where rxrpc_input_call_event()
calls rxrpc_input_call_packet(). There are a number of places prior to
that where we ignore DATA packets for a variety of reasons (such as the
call already being complete) for which an unshare is then avoided.

And with that, rxrpc_input_packet() doesn't need to take a pointer to the
pointer to the packet, so change that to just a pointer.
Published: 2026-05-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when skb_unshare() fails to unshare a packet due to an allocation failure in rxrpc_input_packet(). The skb pointer in the parent rxrpc_io_thread() is then set to NULL, causing trace_rxrpc_rx_done() to dereference a NULL pointer and trigger a kernel oops. The flaw, identified as CWE-825, can lead to a kernel crash and a denial of service. Based on the description, the attack vector is inferred to involve the transmission of malicious RXRPC packets that trigger the allocation failure and null dereference.

Affected Systems

All Linux kernel builds that include the RXRPC networking stack and have not yet incorporated the fix commit (c/1f2740150f904bfa60e4bad74d65add3ccb5e7f8) are potentially affected. The patch was applied to the mainline kernel, so any system shipping a kernel version prior to that commit is at risk. Since specific version ranges are not listed, administrators should consult the kernel changelog or release notes to determine whether their kernel includes the referenced improvements.

Risk and Exploitability

The CVSS score of 7.0 indicates a high severity for this kernel flaw. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting no known active exploitation at the time of the advisory. Exploitation would require an attacker to send RXRPC traffic that induces an allocation failure, a scenario that might be difficult to reliably reproduce in a stable production environment. Nonetheless, a successful exploit would result in a non‑privileged kernel crash, disrupting availability and potentially allowing privilege escalation if the crash is leveraged in a broader attack chain.

Generated by OpenCVE AI on May 28, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that includes the rxrpc UAF bug fix (commit c/1f2740150f904bfa60e4bad74d65add3ccb5e7f8 or later).
  • If upgrading is not immediately feasible, block inbound RXRPC traffic on affected nodes using firewall rules to prevent triggering the bug.
  • As a last resort, apply the specific commit manually to your kernel source tree, rebuild, and reboot to deploy the fix.

Generated by OpenCVE AI on May 28, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8370-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8371-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8373-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8374-1 Linux kernel vulnerabilities
History

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 May 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 27 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix potential UAF after skb_unshare() failure If skb_unshare() fails to unshare a packet due to allocation failure in rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread()) will be NULL'd out. This will likely cause the call to trace_rxrpc_rx_done() to oops. Fix this by moving the unsharing down to where rxrpc_input_call_event() calls rxrpc_input_call_packet(). There are a number of places prior to that where we ignore DATA packets for a variety of reasons (such as the call already being complete) for which an unshare is then avoided. And with that, rxrpc_input_packet() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer.
Title rxrpc: Fix potential UAF after skb_unshare() failure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:47:06.713Z

Reserved: 2026-05-13T15:03:33.091Z

Link: CVE-2026-45998

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:17.407

Modified: 2026-06-16T13:25:31.340

Link: CVE-2026-45998

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45998 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T05:30:06Z

Weaknesses