Linux Kernel Vulnerability in RXRPC for Service Connections
CVE-2026-31676

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 25 April 2026

What is CVE-2026-31676?

A vulnerability in the Linux kernel affects the RXRPC subsystem, where RESPONSE packets are improperly handled during the service challenge phase. The issue arises because the current implementation allows duplicate or delayed RESPONSE packets to incorrectly re-trigger the setup sequence after the service state has transitioned, leading to potential security risks. The vulnerability has been addressed by ensuring that only RESPONSE packets are processed while the connection is still in the RXRPC_CONN_SERVICE_CHALLENGING state, enforcing stricter state checks and secure flag usage to manage response verification and connection work securely.

Affected Version(s)

Linux 17926a79320afa9b95df6b977b40cca6d8713cea

Linux 17926a79320afa9b95df6b977b40cca6d8713cea < 03fd2ef73cb4ffd0af100a95b634af54f474414e

Linux 17926a79320afa9b95df6b977b40cca6d8713cea

References

https://git.kernel.org/stable/c/d0035e634dae83237ab7f5681...

https://git.kernel.org/stable/c/03fd2ef73cb4ffd0af100a95b...

https://git.kernel.org/stable/c/c43ffdcfdbb5567b1f143556d...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 25, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31676 Data

JSON