CVE-2026-31400

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sunrpc: fix cache_request leak in cache_release<br /> <br /> When a reader&amp;#39;s file descriptor is closed while in the middle of reading<br /> a cache_request (rp-&gt;offset != 0), cache_release() decrements the<br /> request&amp;#39;s readers count but never checks whether it should free the<br /> request.<br /> <br /> In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the<br /> cache_request is removed from the queue and freed along with its buffer<br /> and cache_head reference. cache_release() lacks this cleanup.<br /> <br /> The only other path that frees requests with readers == 0 is<br /> cache_dequeue(), but it runs only when CACHE_PENDING transitions from<br /> set to clear. If that transition already happened while readers was<br /> still non-zero, cache_dequeue() will have skipped the request, and no<br /> subsequent call will clean it up.<br /> <br /> Add the same cleanup logic from cache_read() to cache_release(): after<br /> decrementing readers, check if it reached 0 with CACHE_PENDING clear,<br /> and if so, dequeue and free the cache_request.