In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix potential UAF after skb_unshare() failure
If skb_unshare() fails to unshare a packet due to allocation failure in
rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread())
will be NULL'd out. This will likely cause the call to
trace_rxrpc_rx_done() to oops.
Fix this by moving the unsharing down to where rxrpc_input_call_event()
calls rxrpc_input_call_packet(). There are a number of places prior to
that where we ignore DATA packets for a variety of reasons (such as the
call already being complete) for which an unshare is then avoided.
And with that, rxrpc_input_packet() doesn't need to take a pointer to the
pointer to the packet, so change that to just a pointer.
| Score | Percentile |
|---|---|
| 0.13% | 2.85% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.8 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-mjcm-hf7x-hm3w ↗ |
| CVE | CVE-2026-45998 ↗ |