CVE-2026-31400
sunrpc: fix cache_request leak in cache_release
Description
In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix cache_request leak in cache_release When a reader's file descriptor is closed while in the middle of reading a cache_request (rp->offset != 0), cache_release() decrements the request's readers count but never checks whether it should free the request. In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the cache_request is removed from the queue and freed along with its buffer and cache_head reference. cache_release() lacks this cleanup. The only other path that frees requests with readers == 0 is cache_dequeue(), but it runs only when CACHE_PENDING transitions from set to clear. If that transition already happened while readers was still non-zero, cache_dequeue() will have skipped the request, and no subsequent call will clean it up. Add the same cleanup logic from cache_read() to cache_release(): after decrementing readers, check if it reached 0 with CACHE_PENDING clear, and if so, dequeue and free the cache_request.
INFO
Published Date :
April 3, 2026, 4:16 p.m.
Last Modified :
May 20, 2026, 12:31 p.m.
Remotely Exploit :
No
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | [email protected] |
Solution
- Update the Linux kernel to include the fix.
- Verify cache_request memory is properly freed.
- Ensure cache_dequeue handles all cleanup paths.
- Test cache_release logic for zero reader counts.
Public PoC/Exploit Available at Github
CVE-2026-31400 has a 1 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-31400.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-31400 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-31400
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
DSA and DLA for Debian last 14 days
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-31400 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-31400 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
May. 20, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Added CWE CWE-401 Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.130 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.203 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.167 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.12.78 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.13 up to (excluding) 6.18.20 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.19 up to (excluding) 6.19.10 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 2.6.12.1 up to (excluding) 5.10.253 Added Reference Type kernel.org: https://git.kernel.org/stable/c/17ad31b3a43b72aec3a3d83605891e1397d0d065 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/1dfedb293943e491379c9302b428e6f920a73d12 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/301670dcd098c1fe5c2fe90fb3c7a8f4814d2351 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/373457de14281c1fc7cace6fc4c8a267fc176673 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/41f6ba6c98a618043d2cd71030bf9a752dfab8b2 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/7bcd5e318876ac638c8ceade7a648e76ac8c48e1 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/be5c35960e5ead70862736161836e2d1bc7352dc Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/f18c1f2a88ca91357916997cdb0f7adaf14fc497 Types: Patch -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Apr. 18, 2026
Action Type Old Value New Value Added Reference https://git.kernel.org/stable/c/1dfedb293943e491379c9302b428e6f920a73d12 Added Reference https://git.kernel.org/stable/c/f18c1f2a88ca91357916997cdb0f7adaf14fc497 -
New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Apr. 03, 2026
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix cache_request leak in cache_release When a reader's file descriptor is closed while in the middle of reading a cache_request (rp->offset != 0), cache_release() decrements the request's readers count but never checks whether it should free the request. In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the cache_request is removed from the queue and freed along with its buffer and cache_head reference. cache_release() lacks this cleanup. The only other path that frees requests with readers == 0 is cache_dequeue(), but it runs only when CACHE_PENDING transitions from set to clear. If that transition already happened while readers was still non-zero, cache_dequeue() will have skipped the request, and no subsequent call will clean it up. Add the same cleanup logic from cache_read() to cache_release(): after decrementing readers, check if it reached 0 with CACHE_PENDING clear, and if so, dequeue and free the cache_request. Added Reference https://git.kernel.org/stable/c/17ad31b3a43b72aec3a3d83605891e1397d0d065 Added Reference https://git.kernel.org/stable/c/301670dcd098c1fe5c2fe90fb3c7a8f4814d2351 Added Reference https://git.kernel.org/stable/c/373457de14281c1fc7cace6fc4c8a267fc176673 Added Reference https://git.kernel.org/stable/c/41f6ba6c98a618043d2cd71030bf9a752dfab8b2 Added Reference https://git.kernel.org/stable/c/7bcd5e318876ac638c8ceade7a648e76ac8c48e1 Added Reference https://git.kernel.org/stable/c/be5c35960e5ead70862736161836e2d1bc7352dc