CVE-2026-31400

EUVD-2026-18782
In the Linux kernel, the following vulnerability has been resolved:

sunrpc: fix cache_request leak in cache_release

When a reader's file descriptor is closed while in the middle of reading
a cache_request (rp->offset != 0), cache_release() decrements the
request's readers count but never checks whether it should free the
request.

In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the
cache_request is removed from the queue and freed along with its buffer
and cache_head reference. cache_release() lacks this cleanup.

The only other path that frees requests with readers == 0 is
cache_dequeue(), but it runs only when CACHE_PENDING transitions from
set to clear. If that transition already happened while readers was
still non-zero, cache_dequeue() will have skipped the request, and no
subsequent call will clean it up.

Add the same cleanup logic from cache_read() to cache_release(): after
decrementing readers, check if it reached 0 with CACHE_PENDING clear,
and if so, dequeue and free the cache_request.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
6.19.10-1
fixed
sid
6.19.10-1
fixed
trixie
vulnerable
trixie (security)
vulnerable
References
https://git.kernel.org/stable/c/17ad31b3a43b72aec3a3d83605891e1397d0d065
https://git.kernel.org/stable/c/301670dcd098c1fe5c2fe90fb3c7a8f4814d2351
https://git.kernel.org/stable/c/373457de14281c1fc7cace6fc4c8a267fc176673
https://git.kernel.org/stable/c/41f6ba6c98a618043d2cd71030bf9a752dfab8b2
https://git.kernel.org/stable/c/7bcd5e318876ac638c8ceade7a648e76ac8c48e1
https://git.kernel.org/stable/c/be5c35960e5ead70862736161836e2d1bc7352dc