Skip to main content

Linux Kernel EUVDEUVD-2026-32294

| CVE-2026-45998 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-mjcm-hf7x-hm3w
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local AF_RXRPC access with low privileges (AV:L/PR:L); reliable exploitation requires racing an allocation failure, justifying AC:H; full kernel compromise gives C/I/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 13:37 vuln.today
CVSS changed
Jun 16, 2026 - 13:37 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix potential UAF after skb_unshare() failure

If skb_unshare() fails to unshare a packet due to allocation failure in rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread()) will be NULL'd out. This will likely cause the call to trace_rxrpc_rx_done() to oops.

Fix this by moving the unsharing down to where rxrpc_input_call_event() calls rxrpc_input_call_packet(). There are a number of places prior to that where we ignore DATA packets for a variety of reasons (such as the call already being complete) for which an unshare is then avoided.

And with that, rxrpc_input_packet() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer.

AnalysisAI

Use-after-free in the Linux kernel's rxrpc (AF_RXRPC) networking subsystem allows local attackers with low privileges to trigger memory corruption when skb_unshare() fails during packet input handling. Affected Linux kernel versions from 6.2 up to the fixed releases can be exploited to cause a NULL-pointer oops and potentially escalate privileges or crash the system. No public exploit identified at time of analysis; EPSS is very low (0.02%) and the issue is not present in CISA KEV.

Technical ContextAI

The bug lives in net/rxrpc, the kernel implementation of the AF_RXRPC protocol used primarily by AFS (Andrew File System) clients. In rxrpc_input_packet() the code calls skb_unshare() to obtain a private copy of an incoming sk_buff; on allocation failure skb_unshare() frees the original skb and returns NULL, but the caller in rxrpc_io_thread() retains a stale pointer that is later dereferenced through trace_rxrpc_rx_done(), producing a classic CWE-416 use-after-free. The upstream fix relocates the unshare to rxrpc_input_call_event()/rxrpc_input_call_packet() and changes the function signature from skb** to skb*, eliminating the stale pointer write-back. Affected CPEs cover Linux kernel (cpe:2.3:o:linux:linux_kernel) builds with CONFIG_AF_RXRPC enabled, introduced in 6.2 and fixed in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1.

RemediationAI

Vendor-released patch: upgrade to Linux kernel 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 or later, or apply the upstream commits listed at git.kernel.org/stable/c/1f2740150f90, 8fde6296c4d4, 996b0487b3cd, bf20f46d94f1, and e3bf143b1e98. On Ubuntu systems install the kernels delivered by USN-8371-1 and USN-8370-1; equivalent backports are typically available from RHEL, SUSE, and Debian security trackers. If immediate patching is not possible, blacklist or do not load the rxrpc module (echo 'blacklist rxrpc' >/etc/modprobe.d/rxrpc.conf and rmmod rxrpc) - note this will break any AFS/kAFS workloads relying on it; additionally restrict who can open AF_RXRPC sockets and reduce memory pressure to lower the chance of triggering the allocation-failure path that exposes the UAF.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32294 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy