PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23066 Linux CVE debrief

A use-after-free (UAF) and reference-count underrun vulnerability exists in the Linux kernel's rxrpc subsystem. The flaw resides in rxrpc_recvmsg(), which unconditionally requeues a call to the recvmsg queue when MSG_DONTWAIT is specified and the call's mutex is locked. Because the call may already be on the queue—either because MSG_PEEK prevented dequeuing or because the I/O thread requeued it—this unconditional requeue corrupts the recvmsg queue structure. The corruption can lead to UAF conditions or reference-count underruns. The issue affects Linux kernel versions from 4.11 through 6.18.7, plus 6.19 release candidates rc1 through rc6. The fix ensures requeuing only occurs when the call is not already queued, moves existing queued calls to the front rather than requeuing, and properly releases the reference obtained during dequeue when requeuing does not occur. Additionally, MSG_PEEK handling is corrected to avoid calling rxrpc_notify_socket() when data remains on the queue.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-04
Original CVE updated
2026-06-01
Advisory published
2026-02-04
Advisory updated
2026-06-01

Who should care

Linux system administrators running kernels 4.11 through 6.18.7 or 6.19-rc series, particularly those using AFS (Andrew File System) or other services built on AF_RXRPC. Security teams monitoring for local privilege escalation vectors in kernel networking subsystems.

Technical summary

The vulnerability is in net/rxrpc/recvmsg.c in the Linux kernel's RxRPC (Remote Procedure Call over RX) subsystem. When rxrpc_recvmsg() is called with MSG_DONTWAIT and the call at the front of the recvmsg queue has its mutex locked, the function unconditionally requeues the call regardless of whether it is already on the queue. This can occur when MSG_PEEK is also passed (preventing dequeue) or when the I/O thread has already requeued the call. The unconditional requeue corrupts the recvmsg queue linked list, leading to use-after-free vulnerabilities or reference count underruns. The fix adds a check to only requeue if the call is not already queued, moves already-queued calls to the front instead of requeuing, and releases the reference obtained during dequeue when no requeue occurs. A secondary fix prevents rxrpc_notify_socket() from being called for MSG_PEEK operations when data remains on the queue.

Defensive priority

HIGH

Recommended defensive actions

  • Apply kernel patches from stable branches to resolve the rxrpc_recvmsg() queue corruption issue. Prioritize systems using AF_RXRPC, particularly those with services relying on RxRPC for remote procedure calls such as AFS
  • Upgrade to Linux kernel 6.18.8 or later, or apply the specific stable branch patches for supported long-term support (LTS) kernels
  • Monitor for kernel crash reports or use-after-free detections in rxrpc-related code paths, particularly when MSG_DONTWAIT or MSG_PEEK flags are used with recvmsg() on AF_RXRPC sockets
  • If immediate patching is not feasible, consider restricting access to AF_RXRPC sockets to trusted local processes only, as the CVSS vector indicates local attack vector with low privileges required

Evidence notes

CVE description confirms unconditional requeue in rxrpc_recvmsg() when MSG_DONTWAIT is set and mutex is locked, with queue corruption leading to UAF or refcount underruns. CPE criteria specify affected versions: Linux kernel 4.11 through 6.18.7, and 6.19-rc1 through rc6. Kernel.org stable commits tagged as Patch provide fix verification. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H yields score 7.8 (HIGH). CWE-674 (Uncontrolled Recursion) is mapped by NVD, though the primary issue is queue corruption from improper requeue logic.

Official resources

2026-02-04