CVE-2026-23066

EUVD-2026-5478
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix recvmsg() unconditional requeue

If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at
the front of the recvmsg queue already has its mutex locked, it requeues
the call - whether or not the call is already queued.  The call may be on
the queue because MSG_PEEK was also passed and so the call was not dequeued
or because the I/O thread requeued it.

The unconditional requeue may then corrupt the recvmsg queue, leading to
things like UAFs or refcount underruns.

Fix this by only requeuing the call if it isn't already on the queue - and
moving it to the front if it is already queued.  If we don't queue it, we
have to put the ref we obtained by dequeuing it.

Also, MSG_PEEK doesn't dequeue the call so shouldn't call
rxrpc_notify_socket() for the call if we didn't use up all the data on the
queue, so fix that also.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
4.11 ≤
𝑥
< 6.18.8
linuxlinux_kernel
6.19:rc1
linuxlinux_kernel
6.19:rc2
linuxlinux_kernel
6.19:rc3
linuxlinux_kernel
6.19:rc4
linuxlinux_kernel
6.19:rc5
linuxlinux_kernel
6.19:rc6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
vulnerable
bookworm (security)
6.1.176-1
fixed
bullseye
vulnerable
bullseye (security)
5.10.259-1
fixed
forky
7.0.13-1
fixed
sid
7.1.3-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.94-1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
kernel
Amazon Linux 2
0:4.14.355-281.714.amzn2
fixed
kernel-debuginfo
Amazon Linux 2
0:4.14.355-281.714.amzn2
fixed
kernel-debuginfo-common-aarch64
Amazon Linux 2
0:4.14.355-281.714.amzn2
fixed
kernel-debuginfo-common-x86_64
Amazon Linux 2
0:4.14.355-281.714.amzn2
fixed
kernel-devel
Amazon Linux 2
0:4.14.355-281.714.amzn2
fixed
kernel-headers
Amazon Linux 2
0:4.14.355-281.714.amzn2
fixed
kernel-livepatch-4.14.355-281.714
Amazon Linux 2
0:1.0-0.amzn2
fixed
kernel-tools
Amazon Linux 2
0:4.14.355-281.714.amzn2
fixed
kernel-tools-debuginfo
Amazon Linux 2
0:4.14.355-281.714.amzn2
fixed
kernel-tools-devel
Amazon Linux 2
0:4.14.355-281.714.amzn2
fixed
perf
Amazon Linux 2
0:4.14.355-281.714.amzn2
fixed
perf-debuginfo
Amazon Linux 2
0:4.14.355-281.714.amzn2
fixed
python-perf
Amazon Linux 2
0:4.14.355-281.714.amzn2
fixed
python-perf-debuginfo
Amazon Linux 2
0:4.14.355-281.714.amzn2
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
kernel
Azure Linux 3.0
0:6.6.130.1-3.azl3
fixed