CVE-2026-23066

Advisory lineage Upstream: 0 Downstream: 10

Downstream

DEBIAN-CVE-2026-23066 OPENSUSE-SU-2026:20416-1 RHSA-2026:10108 RHSA-2026:9095 RHSA-2026:9112 RHSA-2026:9512

Modified

Published: 04 Feb 2026, 16:07

Last modified:01 Jun 2026, 16:10

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

7.8 HIGH

v3.1 (cve.org)

EPSS Score

0.02% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

04 Feb 2026, 16:07

Published

Vulnerability first disclosed

01 Jun 2026, 16:10

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg() unconditional requeue If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at the front of the recvmsg queue already has its mutex locked, it requeues the call - whether or not the call is already queued. The call may be on the queue because MSG_PEEK was also passed and so the call was not dequeued or because the I/O thread requeued it. The unconditional requeue may then corrupt the recvmsg queue, leading to things like UAFs or refcount underruns. Fix this by only requeuing the call if it isn't already on the queue - and moving it to the front if it is already queued. If we don't queue it, we have to put the ref we obtained by dequeuing it. Also, MSG_PEEK doesn't dequeue the call so shouldn't call rxrpc_notify_socket() for the call if we didn't use up all the data on the queue, so fix that also.

CVSS Metrics

v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.02%• Percentile: 5%

Techniques & Countermeasures

CWE-674•Uncontrolled Recursion
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Systems

linux•linux
≥ 540b1c48c37ac0ad66212004db21e1ff7e2d78be, < 8fd3b5e297854a4da0f273169baf4b1b7b257b97 | ≥ 540b1c48c37ac0ad66212004db21e1ff7e2d78be, < c198628f3fca5c874d93874c233014d336e09f64 | ≥ 540b1c48c37ac0ad66212004db21e1ff7e2d78be, < c6cebcb4e0b3140ec2ace45c020a9049527385d1 | ≥ 540b1c48c37ac0ad66212004db21e1ff7e2d78be, < 0464bf75590da75b8413c3e758c04647b4cdb3c6 | ≥ 540b1c48c37ac0ad66212004db21e1ff7e2d78be, < cf969bddd6e69c5777fa89dc88402204e72f312a | ≥ 540b1c48c37ac0ad66212004db21e1ff7e2d78be, < 930114425065f7ace6e0c0630fab4af75e059ea8 | ≥ 540b1c48c37ac0ad66212004db21e1ff7e2d78be, < 2c28769a51deb6022d7fbd499987e237a01dd63a | 4.11
linux•linux_kernel
≥ 4.11, < 6.18.8 | 6.19:rc1 | 6.19:rc2 | 6.19:rc3 | 6.19:rc4 | 6.19:rc5 | 6.19:rc6