PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45998 Linux CVE debrief

A use-after-free (UAF) vulnerability exists in the Linux kernel's RxRPC networking subsystem. The flaw occurs in rxrpc_input_packet() when skb_unshare() fails to unshare a packet due to memory allocation failure. In this failure path, the skb pointer in the parent function (rxrpc_io_thread()) is set to NULL, but subsequent code may still attempt to access this freed/NULLed pointer through trace_rxrpc_rx_done(), leading to a kernel oops or potential memory corruption. The vulnerability is triggered during RxRPC packet processing when the system is under memory pressure. The fix relocates the skb_unshare() call to a later point in the processing path where DATA packets are handled, avoiding unnecessary unsharing for packets that will be discarded anyway, and simplifies the function signature to use a direct pointer rather than a pointer-to-pointer.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux systems with RxRPC-enabled workloads, particularly those using AFS (Andrew File System), Kerberos, or other RxRPC-based protocols. Systems under memory pressure are at elevated risk.

Technical summary

The RxRPC (Remote Procedure Call over Rx) kernel subsystem contains a use-after-free vulnerability in its packet input handling. When skb_unshare() fails due to memory allocation exhaustion, the socket buffer pointer is NULLed in the caller's scope, but the tracepoint trace_rxrpc_rx_done() may still dereference this invalid pointer. The fix moves skb_unshare() to rxrpc_input_call_packet() where it's only invoked for DATA packets that will actually be processed, eliminating the failure path from rxrpc_input_packet() and allowing simplification of its interface from pointer-to-pointer to direct pointer.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates from stable branches once patches are available for your distribution
  • Monitor for kernel package updates addressing CVE-2026-45998
  • Consider enabling kernel memory pressure monitoring if RxRPC is heavily utilized
  • Review RxRPC usage in environment (AFS, Kerberos, or other userspace RxRPC consumers)
  • Prioritize patching on systems with constrained memory where allocation failures are more likely

Evidence notes

Vulnerability description confirms UAF pattern in skb_unshare() failure path. Multiple stable kernel commits provided indicate backports to supported branches. No CVSS score assigned yet (status: Awaiting Analysis). No KEV listing.

Official resources

2026-05-27