CVE-2026-45964

216.73.217.22

· Published 27/05/2026 16:17 · Modified 27/05/2026 14:48 · Author: The MITRE Corporation

Labels: CVE-2026-45964 2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 CVE-2026-45964

Essential information

Published: 27/05/2026 16:17
Modified: 27/05/2026 14:48
Author: The MITRE Corporation
Creator: The MITRE Corporation
CVSS: 5.5 MEDIUM (v3.1)
CISA KEV: No
CWE: CWE-401
EPSS (First): P11.2% ?EPSS percentile: rank of this vulnerability versus all others. Higher percentile = more likely to be exploited. Learn more (score 0.00210)
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS metrics

Description

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path Commit 5940d1cf9f42 ("SUNRPC: Rebalance a kref in auth_gss.c") added a kref_get(&gss_auth->kref) call to balance the gss_put_auth() done in gss_release_msg(), but forgot to add a corresponding kref_put() on the error path when kstrdup_const() fails. If service_name is non-NULL and kstrdup_const() fails, the function jumps to err_put_pipe_version which calls put_pipe_version() and kfree(gss_msg), but never releases the gss_auth reference. This leads to a kref leak where the gss_auth structure is never freed. Add a forward declaration for gss_free_callback() and call kref_put() in the err_put_pipe_version error path to properly release the reference taken earlier.

NVD status

Status: Awaiting Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD: View on NVD

Affected products (CPE)

Product	CPE
linux / kernel	`cpe:2.3:a:linux:kernel::::::::`