CRITICAL
rxrpc Response Race
CVE-2026-45988
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI4.7MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix re-decryption of RESPONSE packets If a RESPONSE packet gets a temporary failure during processing, it may end up in a partially decrypted state - and then get requeued for a retry. Fix this by just discarding the packet; we will send another CHALLENGE packet and thereby elicit a further response. Similarly, discard an incoming CHALLENGE packet if we get an error whilst generating a RESPONSE; the server will send another CHALLENGE.
02KernelScan AI Analysis
Risk summary
Remote attackers can cause improper reprocessing of partially decrypted RxRPC RESPONSE packets by inducing temporary processing failures, leading to cryptographic state corruption and connection integrity issues. This affects systems running AFS services or clients that use the RxRPC protocol for secure communication over UDP.
Vulnerability analysis
The vulnerability occurs when RESPONSE packets encounter temporary failures (e.g., -ENOMEM or -EAGAIN) during decryption processing. The original code requeued the packet for retry, but the packet could be left in a partially decrypted state. Reprocessing this mutated skb leads to incorrect cryptographic operations and connection state corruption. The fix removes the retry mechanism entirely, discarding the packet and relying on the protocol's natural retransmission behavior (CHALLENGE/RESPONSE exchanges) to recover. This eliminates the possibility of re-decrypting or reprocessing a packet in an inconsistent state.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.86 | 7b8986830505 |
| 6.18 | 6.18.27 | 76cb9a2d2522 |
| 6.6 | 6.6.140 | d61482be4aae |
| 7.0 | 7.0.4 | f55b38307017 |
| mainline | 7.1-rc1 | 0422e7a4883f |