CVE-2026-31400 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

sunrpc: fix cache_request leak in cache_release

When a reader's file descriptor is closed while in the middle of reading
a cache_request (rp->offset != 0), cache_release() decrements the
request's readers count but never checks whether it should free the
request.

In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the
cache_request is removed from the queue and freed along with its buffer
and cache_head reference. cache_release() lacks this cleanup.

The only other path that frees requests with readers == 0 is
cache_dequeue(), but it runs only when CACHE_PENDING transitions from
set to clear. If that transition already happened while readers was
still non-zero, cache_dequeue() will have skipped the request, and no
subsequent call will clean it up.

Add the same cleanup logic from cache_read() to cache_release(): after
decrementing readers, check if it reached 0 with CACHE_PENDING clear,
and if so, dequeue and free the cache_request.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 7bcd5e318876ac638c8ceade7a648e76ac8c48e1
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 41f6ba6c98a618043d2cd71030bf9a752dfab8b2
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 301670dcd098c1fe5c2fe90fb3c7a8f4814d2351
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< be5c35960e5ead70862736161836e2d1bc7352dc
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 373457de14281c1fc7cace6fc4c8a267fc176673
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 17ad31b3a43b72aec3a3d83605891e1397d0d065

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0-rc5`	unaffected	≤ *

No data.

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/17ad31b3a43b72aec3a3d83605891e1397d0d065
https://git.kernel.org/stable/c/301670dcd098c1fe5c2fe90fb3c7a8f4814d2351
https://git.kernel.org/stable/c/373457de14281c1fc7cace6fc4c8a267fc176673
https://git.kernel.org/stable/c/41f6ba6c98a618043d2cd71030bf9a752dfab8b2
https://git.kernel.org/stable/c/7bcd5e318876ac638c8ceade7a648e76ac8c48e1
https://git.kernel.org/stable/c/be5c35960e5ead70862736161836e2d1bc7352dc

History

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix cache_request leak in cache_release When a reader's file descriptor is closed while in the middle of reading a cache_request (rp->offset != 0), cache_release() decrements the request's readers count but never checks whether it should free the request. In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the cache_request is removed from the queue and freed along with its buffer and cache_head reference. cache_release() lacks this cleanup. The only other path that frees requests with readers == 0 is cache_dequeue(), but it runs only when CACHE_PENDING transitions from set to clear. If that transition already happened while readers was still non-zero, cache_dequeue() will have skipped the request, and no subsequent call will clean it up. Add the same cleanup logic from cache_read() to cache_release(): after decrementing readers, check if it reached 0 with CACHE_PENDING clear, and if so, dequeue and free the cache_request.
Title		sunrpc: fix cache_request leak in cache_release
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/17ad31b3a43b72aec3a3d83605891e1397d0d065 https://git.kernel.org/stable/c/301670dcd098c1fe5c2fe90fb3c7a8f4814d2351 https://git.kernel.org/stable/c/373457de14281c1fc7cace6fc4c8a267fc176673 https://git.kernel.org/stable/c/41f6ba6c98a618043d2cd71030bf9a752dfab8b2 https://git.kernel.org/stable/c/7bcd5e318876ac638c8ceade7a648e76ac8c48e1 https://git.kernel.org/stable/c/be5c35960e5ead70862736161836e2d1bc7352dc

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:16:03.906Z

Updated: 2026-04-03T15:16:03.906Z

Reserved: 2026-03-09T15:48:24.086Z

Link: CVE-2026-31400

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-03T16:16:38.623

Modified: 2026-04-03T16:16:38.623

Link: CVE-2026-31400

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object