PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31400 Linux CVE debrief

CVE-2026-31400 is a Linux kernel sunrpc memory-leak issue in cache_release(). If a reader closes its file descriptor while mid-read, the request can lose a reader without being freed, leaving the cache_request, its buffer, and cache_head reference behind. NVD assigns a medium CVSS score and lists the issue as affecting multiple Linux kernel release lines.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-20
Advisory published
2026-04-03
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distribution security teams, and operators of systems that use the sunrpc cache path should care most. Systems with local users or services that can interact with the affected kernel code path have the clearest exposure, and the CVSS vector reflects local, low-complexity prerequisites with high availability impact.

Technical summary

The bug is a cleanup omission in sunrpc cache_release(): when readers drops to zero after a file descriptor closes mid-read, the function decrements the reader count but does not perform the same dequeue-and-free logic that cache_read() uses. That means a cache_request can remain allocated if CACHE_PENDING already cleared before readers reached zero, because cache_dequeue() only frees requests when the pending state transitions at the right time. The result is a kernel memory leak rather than a confidentiality or integrity issue.

Defensive priority

Medium. The issue is availability-focused and locally reachable, so it is not an emergency zero-day scenario in the supplied record, but it can accumulate kernel memory until remediation is applied.

Recommended defensive actions

  • Apply the kernel fix referenced in the official stable patch links.
  • Prioritize updates for kernels within the vulnerable ranges listed by NVD.
  • Verify whether your deployed kernel branch has already backported the fix from stable.
  • Monitor affected systems for unexplained kernel memory growth if patching must be delayed.
  • Track downstream vendor advisories for the exact fixed build number in your distribution.

Evidence notes

The CVE record was published on 2026-04-03 and last modified on 2026-05-20, per the supplied timeline and NVD source item. The vulnerability description states that cache_release() decrements the readers count but fails to free the request when readers reaches zero and CACHE_PENDING is clear. NVD marks the weakness as CWE-401 and provides the CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which supports a local availability-impacting memory leak. The official references include multiple kernel.org stable patch links.

Official resources

Publicly disclosed in the CVE record on 2026-04-03; modified by NVD on 2026-05-20. The supplied record does not indicate KEV inclusion.