Skip to main content

Linux Kernel CVE-2026-31640

| EUVDEUVD-2026-25533 HIGH
Memory Leak (CWE-401)
2026-04-24 Linux GHSA-gwvh-rgq7-hjcw
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:20 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:39 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.5 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25533
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:44 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial

In rxrpc_post_response(), the code should be comparing the challenge serial number from the cached response before deciding to switch to a newer response, but looks at the newer packet private data instead, rendering the comparison always false.

Fix this by switching to look at the older packet.

Fix further[1] to substitute the new packet in place of the old one if newer and also to release whichever we don't use.

AnalysisAI

Linux kernel rxrpc subsystem allows remote denial of service via malformed RESP challenge packets due to incorrect serial number comparison logic. The rxrpc_post_response() function compares challenge serial numbers from the wrong packet structure, causing response queue corruption that can crash the kernel networking stack. This affects Linux kernel versions containing commit 5800b1cf3fd8 through the 6.16-6.19 and 7.0 series. Patches are available from kernel.org for affected stable branches. EPSS exploitation probability is very low (0.02%, 4th percentile) and no public exploits or active exploitation have been identified, suggesting limited real-world risk despite the network-accessible attack vector.

Technical ContextAI

The rxrpc protocol implementation in the Linux kernel manages authentication challenges and responses for the RxRPC remote procedure call protocol, commonly used by AFS (Andrew File System). The vulnerability resides in rxrpc_post_response() where serial number comparison logic intended to select the correct cached RESP challenge packet instead references the newer packet's private data structure when it should examine the older packet. This logic error causes the comparison to always return false, preventing proper response queue management. The affected code spans multiple kernel versions from the introduction of commit 5800b1cf3fd8ccab752a101865be1e76dac33142 through kernels 6.16-6.19 and 7.0 series. The rxrpc subsystem operates at the network transport layer, handling packet ordering and authentication challenge-response sequences.

RemediationAI

Apply vendor-released patches from the Linux kernel stable tree. Specific fix commits are available: b33f5741bb187db8ff32e8f5b96def77cc94dfca, 20386e7f8d97475b8d815873e246423317ec4260, and 9132b1a7bf83b4a8042fffbc99d075b727a16742 depending on your kernel branch, accessible via https://git.kernel.org/stable/. For distributions, update to patched kernel versions 6.18.24 or later for the 6.18 series, 6.19.14 or later for the 6.19 series, or 7.1 or later for the 7.0 series when released by your distribution vendor. If immediate patching is not feasible, consider disabling the rxrpc kernel module if not required for AFS or other rxrpc-dependent services via 'modprobe -r rxrpc' and blacklisting in /etc/modprobe.d/blacklist.conf with 'blacklist rxrpc', though this will break AFS functionality. Organizations not using AFS or rxrpc-based services can safely disable the module with no functional impact. Verify rxrpc usage before disabling by checking for loaded module with 'lsmod | grep rxrpc' and active connections with 'ss -a | grep rxrpc'.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31640 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy