{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31640", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.125Z", "datePublished": "2026-04-24T14:44:54.024Z", "dateUpdated": "2026-05-11T22:12:43.434Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:12:43.434Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix use of wrong skb when comparing queued RESP challenge serial\n\nIn rxrpc_post_response(), the code should be comparing the challenge serial\nnumber from the cached response before deciding to switch to a newer\nresponse, but looks at the newer packet private data instead, rendering the\ncomparison always false.\n\nFix this by switching to look at the older packet.\n\nFix further[1] to substitute the new packet in place of the old one if\nnewer and also to release whichever we don't use."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/trace/events/rxrpc.h", "net/rxrpc/conn_event.c"], "versions": [{"version": "5800b1cf3fd8ccab752a101865be1e76dac33142", "lessThan": "9132b1a7bf83b4a8042fffbc99d075b727a16742", "status": "affected", "versionType": "git"}, {"version": "5800b1cf3fd8ccab752a101865be1e76dac33142", "lessThan": "20386e7f8d97475b8d815873e246423317ec4260", "status": "affected", "versionType": "git"}, {"version": "5800b1cf3fd8ccab752a101865be1e76dac33142", "lessThan": "b33f5741bb187db8ff32e8f5b96def77cc94dfca", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/trace/events/rxrpc.h", "net/rxrpc/conn_event.c"], "versions": [{"version": "6.16", "status": "affected"}, {"version": "0", "lessThan": "6.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9132b1a7bf83b4a8042fffbc99d075b727a16742"}, {"url": "https://git.kernel.org/stable/c/20386e7f8d97475b8d815873e246423317ec4260"}, {"url": "https://git.kernel.org/stable/c/b33f5741bb187db8ff32e8f5b96def77cc94dfca"}], "title": "rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EAE31F43-AAC5-4801-B2B2-119D62A532A2", "versionEndExcluding": "6.18.23", "versionStartIncluding": "6.16.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*", "matchCriteriaId": "6238B17D-C12B-458F-A138-97039BFC4595", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix use of wrong skb when comparing queued RESP challenge serial\n\nIn rxrpc_post_response(), the code should be comparing the challenge serial\nnumber from the cached response before deciding to switch to a newer\nresponse, but looks at the newer packet private data instead, rendering the\ncomparison always false.\n\nFix this by switching to look at the older packet.\n\nFix further[1] to substitute the new packet in place of the old one if\nnewer and also to release whichever we don't use."}], "id": "CVE-2026-31640", "lastModified": "2026-04-27T20:20:22.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:43.357", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/20386e7f8d97475b8d815873e246423317ec4260"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9132b1a7bf83b4a8042fffbc99d075b727a16742"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b33f5741bb187db8ff32e8f5b96def77cc94dfca"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial", "id": "2461555", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461555"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1025", "details": ["A flaw was found in the Linux kernel's rxrpc component. This vulnerability occurs in the `rxrpc_post_response()` function, where the system incorrectly compares a newer network packet's data instead of the expected cached response. This error causes the challenge serial number comparison to always be false, preventing the system from correctly evaluating and potentially switching to newer network responses. This could lead to the system operating with outdated information or processing network communications incorrectly, potentially impacting the reliability of network services."], "name": "CVE-2026-31640", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31640\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31640\nhttps://lore.kernel.org/linux-cve-announce/2026042456-CVE-2026-31640-3477@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5800b1cf3fd8ccab752a101865be1e76dac33142,9132b1a7bf83b4a8042fffbc99d075b727a16742)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5800b1cf3fd8ccab752a101865be1e76dac33142,20386e7f8d97475b8d815873e246423317ec4260)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5800b1cf3fd8ccab752a101865be1e76dac33142,b33f5741bb187db8ff32e8f5b96def77cc94dfca)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.16"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.16)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.23,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.13,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T01:38:01.266772+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the rxrpc patch, which corrects the comparison logic and ensures that the old socket buffer is released to eliminate the memory\u2011leak condition (CWE\u20111025 and CWE\u2011401).", "If a kernel upgrade is not immediately possible, disable the RxRPC module or block RxRPC traffic (port 58659) with firewall rules to prevent external actors from reaching the vulnerable code path.", "Verify that your kernel build configuration does not enable unused RxRPC features and monitor memory usage for unexpected leaks, ensuring that the patched release releases unused skbs as intended."], "summary": {"action": "Apply Patch", "impact": "Denial of Service due to stale RxRPC responses"}, "threat_synthesis": {"affected_systems": "The flaw is present in any Linux kernel that contains the unpatched rxrpc implementation, including kernel 6.16 and all 7.0 release candidates from rc1 through rc7. Distributions that ship these kernel versions without the applied patch are affected.", "description_and_impact": "In the Linux kernel\u2019s rxrpc_post_response routine the code mistakenly compares the challenge serial number from a *cached* response against the newer packet\u2019s private data, which makes the comparison always false. As a result, newer responses never replace older ones, so the kernel may continue to serve stale or incorrect data. This faulty logic can lead to inconsistent network state and can render an RxRPC service unresponsive, effectively causing a denial\u2011of\u2011service.\n\nThe bug also involves improper handling of socket buffers. The older packet is not correctly released when a newer replacement is chosen, which creates a memory leak. The combination of stale data delivery and leaked memory constitutes the two CWE root causes that are reflected in the advisory.\n\nThe vulnerability description does not explicitly state authentication bypass, so only the service disruption and memory leakage ramifications are supported by the official data.\n\n", "risk_and_exploitability": "The flaw is rated with a CVSS score of 7.5, placing it in the high severity range. Its EPSS score of less than 1% suggests that exploitation is currently unlikely, and it is not listed in the CISA KEV catalog. Although the description does not spell out an attack vector, it is inferred that an attacker would need to send specially crafted RxRPC packets over the network to trigger the code path. The low probability of exploitation combined with the potential for denial of service results in a moderate overall risk that still warrants timely remediation.\n"}}}}, "created": "2026-04-27T18:45:11.321021+00:00", "updated": "2026-04-29T01:45:26.023028+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}