CVE-2026-23066
Unknown Unknown - Not Provided
Use-After-Free Vulnerability in Linux Kernel rxrpc recvmsg Queue

Publication date: 2026-02-04

Last updated on: 2026-04-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg() unconditional requeue If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at the front of the recvmsg queue already has its mutex locked, it requeues the call - whether or not the call is already queued. The call may be on the queue because MSG_PEEK was also passed and so the call was not dequeued or because the I/O thread requeued it. The unconditional requeue may then corrupt the recvmsg queue, leading to things like UAFs or refcount underruns. Fix this by only requeuing the call if it isn't already on the queue - and moving it to the front if it is already queued. If we don't queue it, we have to put the ref we obtained by dequeuing it. Also, MSG_PEEK doesn't dequeue the call so shouldn't call rxrpc_notify_socket() for the call if we didn't use up all the data on the queue, so fix that also.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-04-03
Generated
2026-05-07
AI Q&A
2026-02-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23066
EUVD
EUVD-2026-5478
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 4.11 (inc) to 6.18.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

The vulnerability can lead to corruption of the recvmsg queue in the Linux kernel's rxrpc component. This corruption may cause use-after-free conditions or reference count underruns, which can result in unpredictable behavior, crashes, or potential security issues such as memory corruption.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's rxrpc component, specifically in the recvmsg() function. When rxrpc_recvmsg() is called with the MSG_DONTWAIT flag and the call at the front of the recvmsg queue already has its mutex locked, the function requeues the call unconditionally. This can happen even if the call is already on the queue, for example, due to MSG_PEEK being used or because the I/O thread requeued it.

This unconditional requeue can corrupt the recvmsg queue, potentially causing use-after-free (UAF) errors or reference count underruns. The fix involves only requeuing the call if it is not already on the queue, or moving it to the front if it is already queued, and properly managing the reference count.


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart