CVE-2026-31638
Published: 24 April 2026
Summary
CVE-2026-31638 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the kernel flaw involving improper reference counting and NULL pointer dereference in RxRPC.
Mandates effective error handling in protocol processing paths to prevent kernel crashes from unconditional calls like rxrpc_put_call() on NULL pointers.
Implements denial-of-service protections such as network traffic filtering and rate limiting to mitigate remote exploitation of the RxRPC kernel crash.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated crafted packet triggers null dereference in Linux kernel RxRPC, directly enabling kernel panic/DoS via application or system exploitation (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Only put the call ref if one was acquired rxrpc_input_packet_on_conn() can process a to-client packet after the current client call on the channel has already been torn down. In…
more
that case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is no reference to drop. The client-side implicit-end error path does not account for that and unconditionally calls rxrpc_put_call(). This turns a protocol error path into a kernel crash instead of rejecting the packet. Only drop the call reference if one was actually acquired. Keep the existing protocol error handling unchanged.
Deeper analysisAI
CVE-2026-31638 is a vulnerability in the Linux kernel's RxRPC implementation, specifically involving improper reference counting in the rxrpc_input_packet_on_conn() function and the client-side implicit-end error path. The issue arises when processing a to-client packet after the current client call on the channel has been torn down, leaving chan->call as NULL. In this scenario, rxrpc_try_get_call() returns NULL with no reference acquired, but the error path unconditionally calls rxrpc_put_call(), resulting in a NULL pointer dereference (CWE-476) that crashes the kernel. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for denial-of-service.
A remote attacker with network access to an RxRPC-enabled service can exploit this vulnerability without authentication or privileges. By sending a crafted to-client packet after the client call has been torn down, the attacker triggers the unconditional rxrpc_put_call() on a NULL pointer, causing a kernel panic and denial-of-service on the affected system. No user interaction is required, and the attack complexity is low, making it feasible for unauthenticated network adversaries targeting Linux systems using RxRPC for remote procedure calls.
Mitigation involves applying the relevant stable kernel patches referenced in the CVE. These include upstream commits such as 0c156aff8a2d4fa0d61db7837641975cf0e5452d, 6331f1b24a3e85465f6454e003a3e6c22005a5c5, 8299ca146489664e3c0c90a3b8900d8335b1ede4, 9fb09861e2b8d1abfe2efaf260c9f1d30080ea38, and b8f66447448d6c305a51413a67ec8ed26aa7d1dd, which modify the code to only drop the call reference if one was actually acquired while preserving existing protocol error handling. Security practitioners should update to a patched kernel version as soon as available in their distribution's stable repositories.
Details
- CWE(s)