CVE-2026-31663
HIGH EPSS 2.1%
Published Apr 24, 20262mo ago · Modified Jun 19, 20261w ago
7.8 CVSS 3.1
Published Apr 24, 2026 2mo ago
Last Modified Jun 19, 2026 1w ago
Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transport_finish NF_HOOK After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside NF_HOOK and its okfn, which can race with device teardown. Remove the dev_put from the async resumption entry and instead drop the reference after the NF_HOOK call in transport_finish, using a saved device pointer since NF_HOOK may consume the skb. This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip the okfn. For non-transport exits (decaps, gro, drop) and secondary async return points, release the reference inline when async is set.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
2.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Affected Products 13
| Vendor | Product | Version | Range |
|---|---|---|---|
| linux | linux_kernel | * | ≥3.2.100 – <3.3 |
| linux | linux_kernel | * | ≥3.16.55 – <3.17 |
| linux | linux_kernel | * | ≥4.14.24 – <4.15 |
| linux | linux_kernel | * | ≥4.15.1 – <6.18.23 |
| linux | linux_kernel | * | ≥6.19 – <6.19.13 |
| linux | linux_kernel | 4.15 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
References 4
- git.kernel.org https://git.kernel.org/stable/c/0f451b43c88bf2b9c038b414be580efee42e031b
- git.kernel.org https://git.kernel.org/stable/c/1c428b03840094410c5fb6a5db30640486bbbfcb
- git.kernel.org https://git.kernel.org/stable/c/4236c30b437b80f673b9e08c8fae38b8d471ac9e
- git.kernel.org https://git.kernel.org/stable/c/5002beda5cac69d522dc54da0d5d463ed9c963d2
Remediation
- git.kernel.org https://git.kernel.org/stable/c/0f451b43c88bf2b9c038b414be580efee42e031b
- git.kernel.org https://git.kernel.org/stable/c/1c428b03840094410c5fb6a5db30640486bbbfcb
- git.kernel.org https://git.kernel.org/stable/c/5002beda5cac69d522dc54da0d5d463ed9c963d2