U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. Vulnerabilities

CVE-2026-31400 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix cache_request leak in cache_release When a reader's file descriptor is closed while in the middle of reading a cache_request (rp->offset != 0), cache_release() decrements the request's readers count but never checks whether it should free the request. In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the cache_request is removed from the queue and freed along with its buffer and cache_head reference. cache_release() lacks this cleanup. The only other path that frees requests with readers == 0 is cache_dequeue(), but it runs only when CACHE_PENDING transitions from set to clear. If that transition already happened while readers was still non-zero, cache_dequeue() will have skipped the request, and no subsequent call will clean it up. Add the same cleanup logic from cache_read() to cache_release(): after decrementing readers, check if it reached 0 with CACHE_PENDING clear, and if so, dequeue and free the cache_request.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://git.kernel.org/stable/c/17ad31b3a43b72aec3a3d83605891e1397d0d065 kernel.org Patch 
https://git.kernel.org/stable/c/1dfedb293943e491379c9302b428e6f920a73d12 kernel.org Patch 
https://git.kernel.org/stable/c/301670dcd098c1fe5c2fe90fb3c7a8f4814d2351 kernel.org Patch 
https://git.kernel.org/stable/c/373457de14281c1fc7cace6fc4c8a267fc176673 kernel.org Patch 
https://git.kernel.org/stable/c/41f6ba6c98a618043d2cd71030bf9a752dfab8b2 kernel.org Patch 
https://git.kernel.org/stable/c/7bcd5e318876ac638c8ceade7a648e76ac8c48e1 kernel.org Patch 
https://git.kernel.org/stable/c/be5c35960e5ead70862736161836e2d1bc7352dc kernel.org Patch 
https://git.kernel.org/stable/c/f18c1f2a88ca91357916997cdb0f7adaf14fc497 kernel.org Patch 

Weakness Enumeration

CWE-ID CWE Name Source
CWE-401 Missing Release of Memory after Effective Lifetime cwe source acceptance level NIST  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

3 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2026-31400
NVD Published Date:
04/03/2026
NVD Last Modified:
05/20/2026
Source:
kernel.org