Skip to main content

Linux CVE-2026-31400

| EUVDEUVD-2026-18782 MEDIUM
Memory Leak (CWE-401)
2026-04-03 Linux GHSA-73jc-99jj-ch5v
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 20, 2026 - 12:37 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
41f6ba6c98a618043d2cd71030bf9a752dfab8b2,373457de14281c1fc7cace6fc4c8a267fc176673,301670dcd098c1fe5c2fe90fb3c7a8f4814d2351
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18782
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

sunrpc: fix cache_request leak in cache_release

When a reader's file descriptor is closed while in the middle of reading a cache_request (rp->offset != 0), cache_release() decrements the request's readers count but never checks whether it should free the request.

In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the cache_request is removed from the queue and freed along with its buffer and cache_head reference. cache_release() lacks this cleanup.

The only other path that frees requests with readers == 0 is cache_dequeue(), but it runs only when CACHE_PENDING transitions from set to clear. If that transition already happened while readers was still non-zero, cache_dequeue() will have skipped the request, and no subsequent call will clean it up.

Add the same cleanup logic from cache_read() to cache_release(): after decrementing readers, check if it reached 0 with CACHE_PENDING clear, and if so, dequeue and free the cache_request.

AnalysisAI

Linux kernel sunrpc subsystem fails to properly release cache_request objects when file descriptors are closed mid-read, resulting in memory leaks and potential information disclosure through stale cache entries. The vulnerability affects all Linux kernel versions with the affected sunrpc cache implementation, and requires no special privileges or network access to trigger since it occurs during normal file descriptor closure in the kernel's user-space cache management interface.

Technical ContextAI

The Linux kernel's sunrpc (Sun Remote Procedure Call) subsystem manages a user-space cache interface via /proc/net/rpc/ that allows applications to query and update RPC-related cache entries. The cache_request structure tracks active read operations on cache entries, with a readers counter and CACHE_PENDING flag indicating whether a request is still being processed. The vulnerability exists in the cache_release() function, which is invoked when a user-space process closes its file descriptor. When readers count is decremented in cache_release(), the function fails to check whether the request should be freed-a cleanup operation that exists in cache_read() but is absent in cache_release(). This asymmetry means that if a file descriptor closes mid-read (rp->offset != 0) and CACHE_PENDING has already transitioned to clear, the cache_request and its associated buffer and cache_head reference are never freed. The root cause is missing resource cleanup logic in the file descriptor release path.

RemediationAI

Apply the upstream kernel patch by updating to a kernel version incorporating one of the referenced git commits. Patch availability can be verified at https://git.kernel.org/stable/ using the commit hashes provided. The fix adds cleanup logic to cache_release() that mirrors the dequeue and free operations in cache_read(): after decrementing the readers counter, the function now checks if readers has reached 0 and CACHE_PENDING is clear, and if both conditions are met, dequeues and frees the cache_request along with its associated buffer and cache_head reference. System administrators should prioritize kernel updates for systems running services that interact with the sunrpc cache interface, particularly NFS servers and clients. No workaround is available beyond kernel patching.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Affected
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed

Share

CVE-2026-31400 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy