CVE-2026-45964

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/05/2026
Last modified:
16/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path<br /> <br /> Commit 5940d1cf9f42 ("SUNRPC: Rebalance a kref in auth_gss.c") added<br /> a kref_get(&amp;gss_auth-&gt;kref) call to balance the gss_put_auth() done<br /> in gss_release_msg(), but forgot to add a corresponding kref_put()<br /> on the error path when kstrdup_const() fails.<br /> <br /> If service_name is non-NULL and kstrdup_const() fails, the function<br /> jumps to err_put_pipe_version which calls put_pipe_version() and<br /> kfree(gss_msg), but never releases the gss_auth reference. This leads<br /> to a kref leak where the gss_auth structure is never freed.<br /> <br /> Add a forward declaration for gss_free_callback() and call kref_put()<br /> in the err_put_pipe_version error path to properly release the<br /> reference taken earlier.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.2 (including) 5.10.252 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.202 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.165 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.128 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.75 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 6.19.4 (excluding)