CVE-2026-46000 PUBLISHED

rxrpc: Fix conn-level packet handling to unshare RESPONSE packets

Assigner: Linux
Reserved: 13.05.2026 Published: 27.05.2026 Updated: 27.05.2026

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix conn-level packet handling to unshare RESPONSE packets

The security operations that verify the RESPONSE packets decrypt bits of it in place - however, the sk_buff may be shared with a packet sniffer, which would lead to the sniffer seeing an apparently corrupt packet (actually decrypted).

Fix this by handing a copy of the packet off to the specific security handler if the packet was cloned.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 17926a79320afa9b95df6b977b40cca6d8713cea to c0428a22daf69714dc042b67ea759956b74c74e5 (excl.)
  • affected from 17926a79320afa9b95df6b977b40cca6d8713cea to 98a2046d155f73f6cf5d2c493c5e09b4963e2e12 (excl.)
  • affected from 17926a79320afa9b95df6b977b40cca6d8713cea to ca71ac2de389b01eecdc48bfafbdf073ec232044 (excl.)
  • affected from 17926a79320afa9b95df6b977b40cca6d8713cea to d9b93a0f57ca5f6831bfaa34014b6cd705564a00 (excl.)
  • affected from 17926a79320afa9b95df6b977b40cca6d8713cea to 24481a7f573305706054c59e275371f8d0fe919f (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 2.6.22 is affected
  • unaffected from 0 to 2.6.22 (excl.)
  • unaffected from 6.6.140 to 6.6.* (incl.)
  • unaffected from 6.12.88 to 6.12.* (incl.)
  • unaffected from 6.18.27 to 6.18.* (incl.)
  • unaffected from 7.0.4 to 7.0.* (incl.)
  • unaffected from 7.1-rc1 to * (incl.)

References