CVE-2026-23066

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix recvmsg() unconditional requeue<br /> <br /> If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at<br /> the front of the recvmsg queue already has its mutex locked, it requeues<br /> the call - whether or not the call is already queued. The call may be on<br /> the queue because MSG_PEEK was also passed and so the call was not dequeued<br /> or because the I/O thread requeued it.<br /> <br /> The unconditional requeue may then corrupt the recvmsg queue, leading to<br /> things like UAFs or refcount underruns.<br /> <br /> Fix this by only requeuing the call if it isn&amp;#39;t already on the queue - and<br /> moving it to the front if it is already queued. If we don&amp;#39;t queue it, we<br /> have to put the ref we obtained by dequeuing it.<br /> <br /> Also, MSG_PEEK doesn&amp;#39;t dequeue the call so shouldn&amp;#39;t call<br /> rxrpc_notify_socket() for the call if we didn&amp;#39;t use up all the data on the<br /> queue, so fix that also.