CVE-2026-31400
Received Received - Intake
Use-After-Free Vulnerability in Linux Kernel sunrpc Cache Handling

Publication date: 2026-04-03

Last updated on: 2026-04-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix cache_request leak in cache_release When a reader's file descriptor is closed while in the middle of reading a cache_request (rp->offset != 0), cache_release() decrements the request's readers count but never checks whether it should free the request. In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the cache_request is removed from the queue and freed along with its buffer and cache_head reference. cache_release() lacks this cleanup. The only other path that frees requests with readers == 0 is cache_dequeue(), but it runs only when CACHE_PENDING transitions from set to clear. If that transition already happened while readers was still non-zero, cache_dequeue() will have skipped the request, and no subsequent call will clean it up. Add the same cleanup logic from cache_read() to cache_release(): after decrementing readers, check if it reached 0 with CACHE_PENDING clear, and if so, dequeue and free the cache_request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-18
Generated
2026-05-07
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31400
EUVD
EUVD-2026-18782
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's sunrpc subsystem, specifically related to the handling of cache_request objects. When a reader's file descriptor is closed while it is in the middle of reading a cache_request, the function cache_release() decreases the reader count but does not properly check if the cache_request should be freed. This leads to a situation where the cache_request is not removed from the queue or freed, causing a resource leak.

The issue arises because cache_release() lacks the cleanup logic that is present in cache_read(), which frees the cache_request when the reader count drops to zero and the CACHE_PENDING flag is clear. If the CACHE_PENDING flag was already cleared while readers were still present, the cache_dequeue() function, which also frees requests, will have skipped the request. As a result, no subsequent function frees the cache_request, causing a leak.

The fix involves adding the cleanup logic from cache_read() to cache_release(), so that after decrementing the reader count, it checks if the count reached zero with CACHE_PENDING clear, and if so, dequeues and frees the cache_request.


How can this vulnerability impact me? :

This vulnerability can lead to a resource leak in the Linux kernel's sunrpc subsystem. Specifically, cache_request objects may not be freed properly, causing memory or resource consumption to increase over time.

Such leaks can degrade system performance, potentially leading to exhaustion of kernel memory or other resources, which might cause system instability or crashes if the leak is severe or exploited repeatedly.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by updating the Linux kernel to a version where the cache_request leak in sunrpc's cache_release function is resolved.

Immediate mitigation steps include applying the latest kernel patches or upgrading to a kernel version that contains the fix for this issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart