Linux Kernel up to 6.18.7/6.19-rc6 rxrpc recvmsg reference count

Summaryinfo

A vulnerability classified as critical has been found in Linux Kernel up to 6.18.7/6.19-rc6. The impacted element is the function recvmsg of the component rxrpc. This manipulation causes reference count. The identification of this vulnerability is CVE-2026-23066. There is no exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in Linux Kernel up to 6.18.7/6.19-rc6. It has been declared as critical. Affected by this vulnerability is the function recvmsg of the component rxrpc. The manipulation with an unknown input leads to a reference count vulnerability. The CWE definition for the vulnerability is CWE-911. The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count. As an impact it is known to affect availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg() unconditional requeue If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at the front of the recvmsg queue already has its mutex locked, it requeues the call - whether or not the call is already queued. The call may be on the queue because MSG_PEEK was also passed and so the call was not dequeued or because the I/O thread requeued it. The unconditional requeue may then corrupt the recvmsg queue, leading to things like UAFs or refcount underruns. Fix this by only requeuing the call if it isn't already on the queue - and moving it to the front if it is already queued. If we don't queue it, we have to put the ref we obtained by dequeuing it. Also, MSG_PEEK doesn't dequeue the call so shouldn't call rxrpc_notify_socket() for the call if we didn't use up all the data on the queue, so fix that also.

The advisory is shared at git.kernel.org. This vulnerability is known as CVE-2026-23066 since 01/13/2026. Technical details are known, but no exploit is available.

The vulnerability scanner Nessus provides a plugin with the ID 297883 (Linux Distros Unpatched Vulnerability : CVE-2026-23066), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.18.8 or 6.19-rc7 eliminates this vulnerability. Applying the patch 930114425065f7ace6e0c0630fab4af75e059ea8/2c28769a51deb6022d7fbd499987e237a01dd63a is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (297883) and CERT Bund (WID-SEC-2026-0324). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Affected

• Debian Linux
• Google Cloud Platform
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• IBM QRadar SIEM
• SUSE openSUSE
• RESF Rocky Linux
• Open Source Linux Kernel

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.18.0
• 6.18.1
• 6.18.2
• 6.18.3
• 6.18.4
• 6.18.5
• 6.18.6
• 6.18.7
• 6.19-rc1
• 6.19-rc2
• 6.19-rc3
• 6.19-rc4
• 6.19-rc5
• 6.19-rc6

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion