Bug 2436805 (CVE-2026-23066) - CVE-2026-23066 kernel: Linux kernel: Denial of Service via unsafe requeue in rxrpc_recvmsg
Summary: CVE-2026-23066 kernel: Linux kernel: Denial of Service via unsafe requeue in ...
Keywords:
Status: NEW
Alias: CVE-2026-23066
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-04 17:04 UTC by OSIDB Bzimport
Modified: 2026-02-05 18:24 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-02-04 17:04:15 UTC 
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix recvmsg() unconditional requeue

If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at
the front of the recvmsg queue already has its mutex locked, it requeues
the call - whether or not the call is already queued.  The call may be on
the queue because MSG_PEEK was also passed and so the call was not dequeued
or because the I/O thread requeued it.

The unconditional requeue may then corrupt the recvmsg queue, leading to
things like UAFs or refcount underruns.

Fix this by only requeuing the call if it isn't already on the queue - and
moving it to the front if it is already queued.  If we don't queue it, we
have to put the ref we obtained by dequeuing it.

Also, MSG_PEEK doesn't dequeue the call so shouldn't call
rxrpc_notify_socket() for the call if we didn't use up all the data on the
queue, so fix that also.
Comment 1 Jon Moroney 2026-02-04 21:18:50 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026020416-CVE-2026-23066-8e44@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.