CVE-2026-31640
Published: 24 April 2026
Summary
CVE-2026-31640 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely application of the specified kernel patches remediates the faulty skb comparison in rxrpc_post_response(), directly preventing DoS via memory leaks.
Denial-of-service protections mitigate resource exhaustion attacks triggered by exploitation of this rxrpc vulnerability.
System monitoring detects indicators of resource exhaustion or crashes resulting from exploitation of the memory leak in rxrpc response handling.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated memory leak (CWE-401) in Linux kernel rxrpc directly enables adversaries to trigger resource exhaustion or system crashes via crafted network packets, matching application/system exploitation for endpoint DoS.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial In rxrpc_post_response(), the code should be comparing the challenge serial number from the cached response before deciding to…
more
switch to a newer response, but looks at the newer packet private data instead, rendering the comparison always false. Fix this by switching to look at the older packet. Fix further[1] to substitute the new packet in place of the old one if newer and also to release whichever we don't use.
Deeper analysisAI
CVE-2026-31640 is a vulnerability in the Linux kernel's rxrpc implementation, specifically in the rxrpc_post_response() function. The issue arises when comparing the challenge serial number from a cached response to decide whether to switch to a newer response; instead, the code examines the newer packet's private data, causing the comparison to always evaluate as false. This flaw, classified under CWE-401 (Memory Leak), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for availability disruption.
Remote, unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. By triggering the faulty comparison in rxrpc response handling, attackers can induce a denial-of-service condition, likely through memory leaks or improper packet handling that leads to resource exhaustion or system crashes.
Mitigation is available through kernel patches merged into stable branches, as detailed in the following commit references: https://git.kernel.org/stable/c/20386e7f8d97475b8d815873e246423317ec4260, https://git.kernel.org/stable/c/9132b1a7bf83b4a8042fffbc99d075b727a16742, and https://git.kernel.org/stable/c/b33f5741bb187db8ff32e8f5b96def77cc94dfca. These fixes correct the skb usage by comparing the older packet's serial, substituting newer packets when appropriate, and releasing unused ones. Security practitioners should update affected Linux kernels to incorporate these changes.
Details
- CWE(s)