{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31639", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.125Z", "datePublished": "2026-04-24T14:44:52.769Z", "dateUpdated": "2026-04-24T14:44:52.769Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-24T14:44:52.769Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix key reference count leak from call->key\n\nWhen creating a client call in rxrpc_alloc_client_call(), the code obtains\na reference to the key. This is never cleaned up and gets leaked when the\ncall is destroyed.\n\nFix this by freeing call->key in rxrpc_destroy_call().\n\nBefore the patch, it shows the key reference counter elevated:\n\n$ cat /proc/keys | grep afs@54321\n1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka\n$\n\nAfter the patch, the invalidated key is removed when the code exits:\n\n$ cat /proc/keys | grep afs@54321\n$"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/rxrpc/call_object.c"], "versions": [{"version": "f3441d4125fc98995858550a5521b8d7daf0504a", "lessThan": "f1a7a3ab0f35f83cf11bba906b9e948cf3788c28", "status": "affected", "versionType": "git"}, {"version": "f3441d4125fc98995858550a5521b8d7daf0504a", "lessThan": "e6b7943c5dc875647499da09bf4d50a8557ab0c3", "status": "affected", "versionType": "git"}, {"version": "f3441d4125fc98995858550a5521b8d7daf0504a", "lessThan": "2e6ef713b1598f6acd7f302fa6b12b6731c89914", "status": "affected", "versionType": "git"}, {"version": "f3441d4125fc98995858550a5521b8d7daf0504a", "lessThan": "978108902ee4ef2b348ff7ec36ad014dc5bc6dc6", "status": "affected", "versionType": "git"}, {"version": "f3441d4125fc98995858550a5521b8d7daf0504a", "lessThan": "d666540d217e8d420544ebdfbadeedd623562733", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/rxrpc/call_object.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f1a7a3ab0f35f83cf11bba906b9e948cf3788c28"}, {"url": "https://git.kernel.org/stable/c/e6b7943c5dc875647499da09bf4d50a8557ab0c3"}, {"url": "https://git.kernel.org/stable/c/2e6ef713b1598f6acd7f302fa6b12b6731c89914"}, {"url": "https://git.kernel.org/stable/c/978108902ee4ef2b348ff7ec36ad014dc5bc6dc6"}, {"url": "https://git.kernel.org/stable/c/d666540d217e8d420544ebdfbadeedd623562733"}], "title": "rxrpc: Fix key reference count leak from call->key", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8AD2A-FCEB-42B6-8B79-66822D8E7C37", "versionEndExcluding": "6.6.135", "versionStartIncluding": "6.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307", "versionEndExcluding": "6.12.82", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F", "versionEndExcluding": "6.18.23", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*", "matchCriteriaId": "3ADCCCEE-143A-4B48-9B2A-0CB97BD385DE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix key reference count leak from call->key\n\nWhen creating a client call in rxrpc_alloc_client_call(), the code obtains\na reference to the key. This is never cleaned up and gets leaked when the\ncall is destroyed.\n\nFix this by freeing call->key in rxrpc_destroy_call().\n\nBefore the patch, it shows the key reference counter elevated:\n\n$ cat /proc/keys | grep afs@54321\n1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka\n$\n\nAfter the patch, the invalidated key is removed when the code exits:\n\n$ cat /proc/keys | grep afs@54321\n$"}], "id": "CVE-2026-31639", "lastModified": "2026-04-27T20:20:27.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:43.240", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2e6ef713b1598f6acd7f302fa6b12b6731c89914"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/978108902ee4ef2b348ff7ec36ad014dc5bc6dc6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d666540d217e8d420544ebdfbadeedd623562733"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e6b7943c5dc875647499da09bf4d50a8557ab0c3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f1a7a3ab0f35f83cf11bba906b9e948cf3788c28"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: rxrpc: Fix key reference count leak from call->key", "id": "2461447", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461447"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-911", "details": ["A flaw was found in the rxrpc subsystem of the Linux kernel. When a client call is created, a reference to a key is obtained but not properly released when the call is destroyed. This oversight leads to a key reference count leak, which can accumulate over time. This resource exhaustion could eventually allow a local attacker to cause a Denial of Service (DoS) by consuming available system resources."], "name": "CVE-2026-31639", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31639\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31639\nhttps://lore.kernel.org/linux-cve-announce/2026042456-CVE-2026-31639-ef94@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f3441d4125fc98995858550a5521b8d7daf0504a,f1a7a3ab0f35f83cf11bba906b9e948cf3788c28)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f3441d4125fc98995858550a5521b8d7daf0504a,e6b7943c5dc875647499da09bf4d50a8557ab0c3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f3441d4125fc98995858550a5521b8d7daf0504a,2e6ef713b1598f6acd7f302fa6b12b6731c89914)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f3441d4125fc98995858550a5521b8d7daf0504a,978108902ee4ef2b348ff7ec36ad014dc5bc6dc6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f3441d4125fc98995858550a5521b8d7daf0504a,d666540d217e8d420544ebdfbadeedd623562733)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.2"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.135,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.82,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.23,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.13,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T06:15:12.208731+00:00", "value": {"mitigation_remediation": ["Apply the patch that releases call->key in rxrpc_destroy_call().", "Upgrade the kernel to a version that includes the fix (e.g., any 6.2 or 7.0 rc releases after the commit).", "If an immediate kernel upgrade is not possible, disable the rxrpc protocol or restrict its use until the patch is applied."], "summary": {"action": "Apply Patches", "impact": "Resource Leak in Linux Kernel via rxrpc key reference count retention leading to potential denial\u2011of\u2011service"}, "threat_synthesis": {"affected_systems": "Affected systems include any Linux kernel that incorporates the rxrpc client implementation prior to the patch, specifically kernels 6.2 and the 7.0 release candidates through rc7. All variants declared in the CPE list (linux_kernel) are vulnerable until the fix is applied.", "description_and_impact": "The vulnerability resides in the Linux kernel\u2019s rxrpc subsystem. When a client call is allocated, the code increments the reference count of the associated key but never decrements it upon call destruction, causing a reference count leak. The leaked key remains visible in /proc/keys, and over time the kernel key table can grow, potentially exhausting kernel resources and degrading system stability. This weakness is a classic reference\u2011count management flaw, identified as CWE-911.", "risk_and_exploitability": "The CVSS score of 5.5 classifies the risk as moderate, while an EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is inferred to be local or dependent on services that use rxrpc; the leak does not provide direct code execution or remote privilege escalation, but could be leveraged to exhaust the kernel key table. Users should consider the patch as the preferred remediation, and monitor for anomalous key growth if a patch cannot be immediately applied."}}}}, "created": "2026-04-27T18:45:11.321449+00:00", "updated": "2026-04-28T06:15:24.160090+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}