Description
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix memory leaks in rxkad_verify_response()

Fix rxkad_verify_response() to free the ticket and the server key under all
circumstances by initialising the ticket pointer to NULL and then making
all paths through the function after the first allocation has been done go
through a single common epilogue that just releases everything - where all
the releases skip on a NULL pointer.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel function rxkad_verify_response() allocates memory for a ticket and a server key but can leak those allocations on certain code paths. Repeated execution of the vulnerable function results in uncontrolled memory growth, which can exhaust kernel memory and destabilize the system or cause it to fail. The flaw does not directly influence confidentiality or integrity, but it undermines availability. This behavior aligns with CWE-772 (Unreleased Resource). Based on the description, it is inferred that an attacker would need a local process with sufficient privileges to repeatedly invoke the function.

Affected Systems

All Linux kernel releases that include the rxrpc stack and have not incorporated the patch identified by commits 34f61a0, 852b9d6, 861b9a0, c4b8f32, and c91f33f are affected. Any distribution using the default kernel configuration with rxrpc enabled is subject to the vulnerability.

Risk and Exploitability

The EPSS score is < 1%, indicating a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need a local process with sufficient privileges to repeatedly invoke the vulnerable function. The CVSS score of 7.0 reflects a medium severity impact on system availability, but the very low EPSS suggests the practical likelihood of exploitation is low. Without the patch, a well‑resourced local attacker could deplete kernel memory and cause a denial of service. The lack of a public exploit further reduces the immediate threat, though the potential impact on availability warrants mitigation.

Generated by OpenCVE AI on May 29, 2026 at 04:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that incorporates the rxkad_verify_response() fix demonstrated in the listed commit references, ensuring all allocations are properly released (addresses CWE-772).
  • If a kernel update is not immediately feasible, reconfigure the kernel to disable the rxrpc protocol (CONFIG_RXRPC=n) to prevent the vulnerable code from executing.
  • Monitor kernel memory usage for abnormal growth patterns and review system logs for repeated allocation failures, which may indicate attempts to trigger the vulnerability; this mitigates potential resource exhaustion stemming from CWE-772.

Generated by OpenCVE AI on May 29, 2026 at 04:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 29 May 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-368
CWE-404

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-368
CWE-404

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix memory leaks in rxkad_verify_response() Fix rxkad_verify_response() to free the ticket and the server key under all circumstances by initialising the ticket pointer to NULL and then making all paths through the function after the first allocation has been done go through a single common epilogue that just releases everything - where all the releases skip on a NULL pointer.
Title rxrpc: Fix memory leaks in rxkad_verify_response()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:47:55.135Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46012

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:19.387

Modified: 2026-06-16T15:25:03.130

Link: CVE-2026-46012

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46012 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T05:00:07Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-772

    Missing Release of Resource after Effective Lifetime