Detections
Analytics

CVE-2026-45998

medium

Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix potential UAF after skb_unshare() failure If skb_unshare() fails to unshare a packet due to allocation failure in rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread()) will be NULL'd out. This will likely cause the call to trace_rxrpc_rx_done() to oops. Fix this by moving the unsharing down to where rxrpc_input_call_event() calls rxrpc_input_call_packet(). There are a number of places prior to that where we ignore DATA packets for a variety of reasons (such as the call already being complete) for which an unshare is then avoided. And with that, rxrpc_input_packet() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer.

References

https://git.kernel.org/stable/c/e3bf143b1e98fb3d6d9e6825bcd683974d478e8c

https://git.kernel.org/stable/c/bf20f46d94f1db38e6ffc0ca204a5fe0de01b495

https://git.kernel.org/stable/c/996b0487b3cdda4c91811dbb1c9564626bc840bd

https://git.kernel.org/stable/c/8fde6296c4d4da2be7ab761305ab7f232b94eefd

https://git.kernel.org/stable/c/1f2740150f904bfa60e4bad74d65add3ccb5e7f8

Details

Source: Mitre, NVD

Published: 2026-05-27

Updated: 2026-05-27

Risk Information

CVSS v2

Base Score: 4.9

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C

Severity: Medium

CVSS v3

Base Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Severity: Medium

EPSS

EPSS: 0.00018