CVE-2026-31504

HIGH EPSS 2.9%
Published Apr 22, 20262mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 22, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 15

VendorProductVersionRange
linuxlinux_kernel*≥3.1.1  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.168
linuxlinux_kernel*≥6.2  –  <6.6.131
linuxlinux_kernel*≥6.7  –  <6.12.80
linuxlinux_kernel*≥6.13  –  <6.18.21
linuxlinux_kernel*≥6.19  –  <6.19.11
linuxlinux_kernel3.1any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/1b4c03f8892d955385c202009af7485364731bb9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/42156f93d123436f2a27c468f18c966b7e5db796
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/42cfd7898eeed290c9fb73f732af1f7d6b0a703e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/654386baef228c2992dbf604c819e4c7c35fc71b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/75fe6db23705a1d55160081f7b37db9665b1880b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ceccbfc6de720ad633519a226715989cfb065af1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ee642b1962caa9aa231c01abbd58bc453ae6b66e
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1b4c03f8892d955385c202009af7485364731bb9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/42156f93d123436f2a27c468f18c966b7e5db796
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/42cfd7898eeed290c9fb73f732af1f7d6b0a703e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/654386baef228c2992dbf604c819e4c7c35fc71b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/75fe6db23705a1d55160081f7b37db9665b1880b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ceccbfc6de720ad633519a226715989cfb065af1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ee642b1962caa9aa231c01abbd58bc453ae6b66e
    Patch