A subtle locking bug in the kernel's RxRPC recvpath can corrupt internal socket queues and lead to use-after-free and refcount underruns — a flaw tracked as CVE-2026-23066 that was introduced by incorrect requeue logic in rxrpc_recvmsg() and fixed upstream by a targeted patch in early 2026...
