CVE-2026-46012 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix memory leaks in rxkad_verify_response()

Fix rxkad_verify_response() to free the ticket and the server key under all
circumstances by initialising the ticket pointer to NULL and then making
all paths through the function after the first allocation has been done go
through a single common epilogue that just releases everything - where all
the releases skip on a NULL pointer.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The kernel function rxkad_verify_response() allocates memory for a ticket and a server key but can leak those allocations on certain code paths. Repeated execution of the vulnerable function results in uncontrolled memory growth, which can exhaust kernel memory and destabilize the system or cause it to fail. The flaw does not directly influence confidentiality or integrity, but it undermines availability. Based on the description, it is inferred that an attacker would need a local process with sufficient privileges to repeatedly invoke the function.

Affected Systems

All Linux kernel releases that include the rxrpc stack and have not incorporated the patch identified by commits 34f61a0, 852b9d6, 861b9a0, c4b8f32, and c91f33f are affected. Any distribution using the default kernel configuration with rxrpc enabled is subject to the vulnerability.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need a local process with sufficient privileges to repeatedly invoke the function. The likelihood of exploitation is moderate. Without the patch, a well‑resourced local attacker could bring the system to a state of resource exhaustion, resulting in a denial of service. The absence of a public exploit reduces the immediate threat, but the potential impact on availability warrants prompt mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ec832bd06d6fdf08b0455ab7c2a7a9104e029638`	affected	< c4b8f32e73eafd4a5076be890c7c8506ec04567c
`ec832bd06d6fdf08b0455ab7c2a7a9104e029638`	affected	< 852b9d64cea421336579b2de3d1338dfa677e2dd
`ec832bd06d6fdf08b0455ab7c2a7a9104e029638`	affected	< 861b9a0a1823bf064a7b810d29502a9ef043f40f
`ec832bd06d6fdf08b0455ab7c2a7a9104e029638`	affected	< c91f33fb8356dedc82bc56ce210f1a5dbee62a52
`ec832bd06d6fdf08b0455ab7c2a7a9104e029638`	affected	< 34f61a07e0cdefaecd3ec03bb5fb22215643678f

Linux

affected

Version	Status	Constraints
`5.11`	affected	—
`0`	unaffected	< 5.11
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a version that incorporates the rxkad_verify_response() fix demonstrated in the listed commit references.
If a kernel update is not immediately feasible, reconfigure the kernel to disable the rxrpc protocol (CONFIG_RXRPC=n) to prevent the vulnerable code from executing.
Monitor kernel memory usage for abnormal growth patterns and review system logs for repeated allocation failures, which may indicate attempts to trigger the vulnerability.

Generated by OpenCVE AI on May 27, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/34f61a07e0cdefaecd3ec03bb5fb22215643678f
https://git.kernel.org/stable/c/852b9d64cea421336579b2de3d1338dfa677e2dd
https://git.kernel.org/stable/c/861b9a0a1823bf064a7b810d29502a9ef043f40f
https://git.kernel.org/stable/c/c4b8f32e73eafd4a5076be890c7c8506ec04567c
https://git.kernel.org/stable/c/c91f33fb8356dedc82bc56ce210f1a5dbee62a52

History

Wed, 27 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-368 CWE-404

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix memory leaks in rxkad_verify_response() Fix rxkad_verify_response() to free the ticket and the server key under all circumstances by initialising the ticket pointer to NULL and then making all paths through the function after the first allocation has been done go through a single common epilogue that just releases everything - where all the releases skip on a NULL pointer.
Title		rxrpc: Fix memory leaks in rxkad_verify_response()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/34f61a07e0cdefaecd3ec03bb5fb22215643678f https://git.kernel.org/stable/c/852b9d64cea421336579b2de3d1338dfa677e2dd https://git.kernel.org/stable/c/861b9a0a1823bf064a7b810d29502a9ef043f40f https://git.kernel.org/stable/c/c4b8f32e73eafd4a5076be890c7c8506ec04567c https://git.kernel.org/stable/c/c91f33fb8356dedc82bc56ce210f1a5dbee62a52

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:56:14.131Z

Updated: 2026-05-27T12:56:14.131Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46012

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:19.387

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46012

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T20:30:40Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object