Linux Kernel, Queue Corruption, CVE-2026-23066 (Medium)

Listen to this Post

CVE-2026-23066 is a vulnerability in the Linux kernel’s rxrpc subsystem, which handles the RxRPC protocol. The flaw resides in the `recvmsg()` function’s logic for managing the queue of incoming calls. When a `recvmsg()` call fails because the `MSG_DONTWAIT` flag was set and the mutex for the call at the front of the queue is already locked, the function attempts to put the call back on the queue. However, it does so unconditionally, without first checking if the call is already present on that queue. A call could already be on the queue for legitimate reasons, such as the use of the `MSG_PEEK` flag (which allows reading data without removing the call from the queue) or if the I/O thread had already requeued it. This unconditional requeue corrupts the recvmsg queue’s structure. This corruption can lead to the same call being queued multiple times, which ultimately results in the kernel mistakenly dropping references to the call (refcount underflow) or accessing memory after it has been freed (Use-After-Free), leading to a system crash or potential privilege escalation.

dailycve form:

Platform: Linux Kernel
Version: 4.11 to 6.18.8
Vulnerability : Queue Corruption/UAF
Severity: Medium (CVSS 5.5)
date: 2026-02-04

Prediction: Patched in 6.18.8, 6.19-rc7

What Undercode Say:

Analytics

This vulnerability affects the Linux kernel from version 4.11 up to, but not including, 6.18.8 and 6.19-rc7 . It is a local vulnerability with a CVSS score of 5.5 (Medium), requiring low privileges and no user interaction to exploit . The primary technical impact is on system availability, as a successful exploit leads to a kernel panic due to memory corruption . The issue resides in the networking stack’s RxRPC protocol implementation . The fix was committed to the mainline kernel and backported to stable branches like 6.6.y .

Exploit

An exploit would involve a local user with access to an RxRPC socket racing two `recvmsg()` system calls. One thread would hold a mutex on a call, while another, using the `MSG_DONTWAIT` flag, attempts to read from the same queue. The specific race condition leads to the list corruption. While a public PoC is not available, the patch provides the precise location of the flaw.

Protection from this CVE

Protection is achieved by updating the Linux kernel to a version containing the fix. The patched versions are 6.18.8 and 6.19-rc7, or any subsequent stable release . System administrators should apply the latest security updates from their Linux distribution. The fix can be identified by the following commit hashes:

For mainline and stable kernels
git show 2c28769a51de
For the 6.6.y stable backport
git show 930114425065

The patch modifies the logic in `net/rxrpc/recvmsg.c` to check if a call is already on the queue before requeueing it :

// From the patch: net/rxrpc/recvmsg.c
if (list_empty(&call->recvmsg_link)) {
list_add(&call->recvmsg_link, &rx->recvmsg_q);
rxrpc_see_call(call, rxrpc_call_see_recvmsg_requeue);
} else if (!list_is_first(&call->recvmsg_link, &rx->recvmsg_q)) {
list_move(&call->recvmsg_link, &rx->recvmsg_q);
rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_move);
} else {
// Already at the front, just drop the ref
rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_first);
}

Impact

Successful exploitation leads to corruption of the kernel’s `recvmsg` queue for RxRPC sockets. This corruption can manifest as a use-after-free or a refcount underflow, both of which typically result in a kernel panic (denial of service) . In theory, memory corruption bugs of this nature could potentially be leveraged for local privilege escalation, although the CVE description and scoring focus on the availability impact. The vulnerability requires local access to the system to trigger.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top