CVE-2026-45998 PUBLISHED

rxrpc: Fix potential UAF after skb_unshare() failure

Assigner: Linux
Reserved: 13.05.2026 Published: 27.05.2026 Updated: 27.05.2026

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix potential UAF after skb_unshare() failure

If skb_unshare() fails to unshare a packet due to allocation failure in rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread()) will be NULL'd out. This will likely cause the call to trace_rxrpc_rx_done() to oops.

Fix this by moving the unsharing down to where rxrpc_input_call_event() calls rxrpc_input_call_packet(). There are a number of places prior to that where we ignore DATA packets for a variety of reasons (such as the call already being complete) for which an unshare is then avoided.

And with that, rxrpc_input_packet() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 to e3bf143b1e98fb3d6d9e6825bcd683974d478e8c (excl.)
  • affected from 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 to bf20f46d94f1db38e6ffc0ca204a5fe0de01b495 (excl.)
  • affected from 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 to 996b0487b3cdda4c91811dbb1c9564626bc840bd (excl.)
  • affected from 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 to 8fde6296c4d4da2be7ab761305ab7f232b94eefd (excl.)
  • affected from 2d1faf7a0ca3c0b327cf064c80e4e775532c9319 to 1f2740150f904bfa60e4bad74d65add3ccb5e7f8 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 6.2 is affected
  • unaffected from 0 to 6.2 (excl.)
  • unaffected from 6.6.140 to 6.6.* (incl.)
  • unaffected from 6.12.86 to 6.12.* (incl.)
  • unaffected from 6.18.27 to 6.18.* (incl.)
  • unaffected from 7.0.4 to 7.0.* (incl.)
  • unaffected from 7.1-rc1 to * (incl.)

References