| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026021407-CVE-2026-23118-7579@gregkh>
Date: Sat, 14 Feb 2026 16:10:10 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2026-23118: rxrpc: Fix data-race warning and potential load/store tearing
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix data-race warning and potential load/store tearing
Fix the following:
BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packet
which is reporting an issue with the reads and writes to ->last_tx_at in:
conn->peer->last_tx_at = ktime_get_seconds();
and:
keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME;
The lockless accesses to these to values aren't actually a problem as the
read only needs an approximate time of last transmission for the purposes
of deciding whether or not the transmission of a keepalive packet is
warranted yet.
Also, as ->last_tx_at is a 64-bit value, tearing can occur on a 32-bit
arch.
Fix both of these by switching to an unsigned int for ->last_tx_at and only
storing the LSW of the time64_t. It can then be reconstructed at need
provided no more than 68 years has elapsed since the last transmission.
The Linux kernel CVE team has assigned CVE-2026-23118 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.17 with commit ace45bec6d77bc061c3c3d8ad99e298ea9800c2b and fixed in 6.12.69 with commit c08cf314191cd0f8699089715efb9eff030f0086
Issue introduced in 4.17 with commit ace45bec6d77bc061c3c3d8ad99e298ea9800c2b and fixed in 6.18.8 with commit f8cf1368e0a5491b27189a695c36f64e48f3d19d
Issue introduced in 4.17 with commit ace45bec6d77bc061c3c3d8ad99e298ea9800c2b and fixed in 6.19 with commit 5d5fe8bcd331f1e34e0943ec7c18432edfcf0e8b
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2026-23118
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/rxrpc/ar-internal.h
net/rxrpc/conn_event.c
net/rxrpc/output.c
net/rxrpc/peer_event.c
net/rxrpc/proc.c
net/rxrpc/rxgk.c
net/rxrpc/rxkad.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/c08cf314191cd0f8699089715efb9eff030f0086
https://git.kernel.org/stable/c/f8cf1368e0a5491b27189a695c36f64e48f3d19d
https://git.kernel.org/stable/c/5d5fe8bcd331f1e34e0943ec7c18432edfcf0e8b
Powered by blists - more mailing lists