CVE-2026-45998
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
In the Linux kernel, a use-after-free (UAF) vulnerability was found in the rxrpc module after a failed skb_unshare() call. If skb_unshare() fails to duplicate a packet due to an allocation error, the skb pointer in the parent function (rxrpc_io_thread()) is set to NULL, which may cause a system crash when trace_rxrpc_rx_done() is called.
Risk Assessment
The risk involves a potential system crash (oops) due to dereferencing a NULL pointer, which could disrupt network services relying on RxRPC and lead to data loss.
Recommendation
It is recommended to immediately update the Linux kernel to a version containing the fix, which moves the unsharing operation to the rxrpc_input_call_packet() call site and changes the parameter type in rxrpc_input_packet() to a plain pointer.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix potential UAF after skb_unshare() failure If skb_unshare() fails to unshare a packet due to allocation failure in rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread()) will be NULL'd out. This will likely cause the call to trace_rxrpc_rx_done() to oops. Fix this by moving the unsharing down to where rxrpc_input_call_event() calls rxrpc_input_call_packet(). There are a number of places prior to that where we ignore DATA packets for a variety of reasons (such as the call already being complete) for which an unshare is then avoided. And with that, rxrpc_input_packet() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer.

