{ "threat_severity" : "Moderate", "public_date" : "2026-02-04T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel: Denial of Service via unsafe requeue in rxrpc_recvmsg", "id" : "2436805", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2436805" }, "cvss3" : { "cvss3_base_score" : "7.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nrxrpc: Fix recvmsg() unconditional requeue\nIf rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at\nthe front of the recvmsg queue already has its mutex locked, it requeues\nthe call - whether or not the call is already queued. The call may be on\nthe queue because MSG_PEEK was also passed and so the call was not dequeued\nor because the I/O thread requeued it.\nThe unconditional requeue may then corrupt the recvmsg queue, leading to\nthings like UAFs or refcount underruns.\nFix this by only requeuing the call if it isn't already on the queue - and\nmoving it to the front if it is already queued. If we don't queue it, we\nhave to put the ref we obtained by dequeuing it.\nAlso, MSG_PEEK doesn't dequeue the call so shouldn't call\nrxrpc_notify_socket() for the call if we didn't use up all the data on the\nqueue, so fix that also.", "A flaw was found in the Linux kernel. A local unprivileged process can exploit an unsafe requeue path in the `rxrpc_recvmsg` function by using `AF_RXRPC` sockets with `MSG_DONTWAIT` and `MSG_PEEK` flags. This improper handling of the receive message queue can lead to memory corruption, such as Use-After-Frees (UAFs) or reference count underruns. The most likely outcome is a kernel crash or memory safety warning, resulting in a denial of service. There is also a conservative possibility of broader impact if the memory corruption is exploitable." ], "statement" : "An unsafe requeue path in rxrpc_recvmsg can corrupt the recvmsg queue because a call is requeued unconditionally even if it is already on the queue due to MSG_PEEK or a concurrent IO thread requeue. This can corrupt the linked list bookkeeping and can manifest as use after free or refcount underrun in RXRPC call objects. The most likely outcome is a kernel crash or memory safety warning which results in denial of service. For the CVSS the PR is N because a local unprivileged process can trigger the behavior by using AF_RXRPC sockets and recvmsg with MSG_DONTWAIT and MSG_PEEK patterns. The issue is not directly network reachable as a pure remote packet trigger because the vulnerable operation is in the local recvmsg path. Remote traffic can influence timing and queue state but a local caller is still needed to exercise the buggy logic. Impact is primarily availability with a conservative possibility of broader impact if the memory corruption is exploitable.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-04-20T00:00:00Z", "advisory" : "RHSA-2026:9095", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "kernel-0:6.12.0-55.69.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-04-22T00:00:00Z", "advisory" : "RHSA-2026:9644", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.166.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-04-22T00:00:00Z", "advisory" : "RHSA-2026:9512", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.166.1.rt14.451.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10108", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.121.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-04-20T00:00:00Z", "advisory" : "RHSA-2026:9112", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "kernel-0:5.14.0-570.108.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23066\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23066\nhttps://lore.kernel.org/linux-cve-announce/2026020416-CVE-2026-23066-8e44@gregkh/T" ], "name" : "CVE-2026-23066", "mitigation" : { "value" : "To mitigate this issue, prevent module rxrpc from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.", "lang" : "en:us" }, "csaw" : false }