CVE-2026-45998

If skbunshare() fails to unshare a packet due to allocation failure in rxrpcinputpacket(), the skb pointer in the parent (rxrpciothread()) will be NULL'd out. This will likely cause the call to tracerxrpcrxdone() to oops.

Fix this by moving the unsharing down to where rxrpcinputcallevent() calls rxrpcinputcallpacket(). There are a number of places prior to that where we ignore DATA packets for a variety of reasons (such as the call already being complete) for which an unshare is then avoided.

And with that, rxrpcinputpacket() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45998.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

2d1faf7a0ca3c0b327cf064c80e4e775532c9319

Fixed

e3bf143b1e98fb3d6d9e6825bcd683974d478e8c

Fixed

bf20f46d94f1db38e6ffc0ca204a5fe0de01b495

Fixed

996b0487b3cdda4c91811dbb1c9564626bc840bd

Fixed

8fde6296c4d4da2be7ab761305ab7f232b94eefd

Fixed

1f2740150f904bfa60e4bad74d65add3ccb5e7f8

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45998.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.140

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.86

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.27

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

7.0.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45998.json"