CVE-2026-31639

When creating a client call in rxrpcallocclient_call(), the code obtains a reference to the key. This is never cleaned up and gets leaked when the call is destroyed.

Fix this by freeing call->key in rxrpcdestroycall().

Before the patch, it shows the key reference counter elevated:

$ cat /proc/keys | grep afs@54321 1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka $

After the patch, the invalidated key is removed when the code exits:

$ cat /proc/keys | grep afs@54321 $

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31639.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f3441d4125fc98995858550a5521b8d7daf0504a

Fixed

f1a7a3ab0f35f83cf11bba906b9e948cf3788c28

Fixed

e6b7943c5dc875647499da09bf4d50a8557ab0c3

Fixed

2e6ef713b1598f6acd7f302fa6b12b6731c89914

Fixed

978108902ee4ef2b348ff7ec36ad014dc5bc6dc6

Fixed

d666540d217e8d420544ebdfbadeedd623562733

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31639.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.135

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.82

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.23

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.13

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31639.json"