1. Home
  2. Vulnerabilities
  3. CVE-2026-31400
0.0
NA
CVE-2026-31400
sunrpc: fix cache_request leak in cache_release
Overview
Description

In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix cache_request leak in cache_release When a reader's file descriptor is closed while in the middle of reading a cache_request (rp->offset != 0), cache_release() decrements the request's readers count but never checks whether it should free the request. In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the cache_request is removed from the queue and freed along with its buffer and cache_head reference. cache_release() lacks this cleanup. The only other path that frees requests with readers == 0 is cache_dequeue(), but it runs only when CACHE_PENDING transitions from set to clear. If that transition already happened while readers was still non-zero, cache_dequeue() will have skipped the request, and no subsequent call will clean it up. Add the same cleanup logic from cache_read() to cache_release(): after decrementing readers, check if it reached 0 with CACHE_PENDING clear, and if so, dequeue and free the cache_request.

Details
INFO

Published Date :

April 3, 2026, 4:16 p.m.

Last Modified :

April 3, 2026, 4:16 p.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Impact
Affected Products

The following products are affected by CVE-2026-31400 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
Solution
Apply kernel patches to fix memory leaks in sunrpc cache handling.
  • Update the Linux kernel to include the fix.
  • Verify cache_request memory is properly freed.
  • Ensure cache_dequeue handles all cleanup paths.
  • Test cache_release logic for zero reader counts.
References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-31400.

URL Resource
https://git.kernel.org/stable/c/17ad31b3a43b72aec3a3d83605891e1397d0d065
https://git.kernel.org/stable/c/301670dcd098c1fe5c2fe90fb3c7a8f4814d2351
https://git.kernel.org/stable/c/373457de14281c1fc7cace6fc4c8a267fc176673
https://git.kernel.org/stable/c/41f6ba6c98a618043d2cd71030bf9a752dfab8b2
https://git.kernel.org/stable/c/7bcd5e318876ac638c8ceade7a648e76ac8c48e1
https://git.kernel.org/stable/c/be5c35960e5ead70862736161836e2d1bc7352dc
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-31400 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-31400 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-31400 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-31400 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Apr. 03, 2026

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix cache_request leak in cache_release When a reader's file descriptor is closed while in the middle of reading a cache_request (rp->offset != 0), cache_release() decrements the request's readers count but never checks whether it should free the request. In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the cache_request is removed from the queue and freed along with its buffer and cache_head reference. cache_release() lacks this cleanup. The only other path that frees requests with readers == 0 is cache_dequeue(), but it runs only when CACHE_PENDING transitions from set to clear. If that transition already happened while readers was still non-zero, cache_dequeue() will have skipped the request, and no subsequent call will clean it up. Add the same cleanup logic from cache_read() to cache_release(): after decrementing readers, check if it reached 0 with CACHE_PENDING clear, and if so, dequeue and free the cache_request.
    Added Reference https://git.kernel.org/stable/c/17ad31b3a43b72aec3a3d83605891e1397d0d065
    Added Reference https://git.kernel.org/stable/c/301670dcd098c1fe5c2fe90fb3c7a8f4814d2351
    Added Reference https://git.kernel.org/stable/c/373457de14281c1fc7cace6fc4c8a267fc176673
    Added Reference https://git.kernel.org/stable/c/41f6ba6c98a618043d2cd71030bf9a752dfab8b2
    Added Reference https://git.kernel.org/stable/c/7bcd5e318876ac638c8ceade7a648e76ac8c48e1
    Added Reference https://git.kernel.org/stable/c/be5c35960e5ead70862736161836e2d1bc7352dc
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
No CVSS metrics available for this vulnerability.