CVE-2026-31638

rxrpcinputpacketonconn() can process a to-client packet after the current client call on the channel has already been torn down. In that case chan->call is NULL, rxrpctryget_call() returns NULL and there is no reference to drop.

The client-side implicit-end error path does not account for that and unconditionally calls rxrpcputcall(). This turns a protocol error path into a kernel crash instead of rejecting the packet.

Only drop the call reference if one was actually acquired. Keep the existing protocol error handling unchanged.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31638.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5e6ef4f1017c7f844e305283bbd8875af475e2fc

Fixed

b8f66447448d6c305a51413a67ec8ed26aa7d1dd

Fixed

0c156aff8a2d4fa0d61db7837641975cf0e5452d

Fixed

8299ca146489664e3c0c90a3b8900d8335b1ede4

Fixed

9fb09861e2b8d1abfe2efaf260c9f1d30080ea38

Fixed

6331f1b24a3e85465f6454e003a3e6c22005a5c5

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31638.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.135

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.82

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.23

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.13

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31638.json"