CVE-2026-31700

HIGH EPSS 1.2%
Published May 1, 20261mo ago · Modified Jun 19, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published May 1, 2026 1mo ago
Last Modified Jun 19, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel validates the header via __packet_snd_vnet_parse() but then re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent userspace thread can modify the vnet_hdr fields between validation and use, bypassing all safety checks. The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr to a stack-local variable. All other vnet_hdr consumers in the kernel (tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX path is the only caller of virtio_net_hdr_to_skb() that reads directly from user-controlled shared memory. Fix this by copying vnet_hdr from the mmap'd ring buffer to a stack-local variable before validation and use, consistent with the approach used in packet_snd() and all other callers.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
1.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-362

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel*≥4.6  –  <6.6.136
linuxlinux_kernel*≥6.7  –  <6.12.84
linuxlinux_kernel*≥6.13  –  <6.18.25
linuxlinux_kernel*≥6.19  –  <7.0.2
linuxlinux_kernel7.1any
linuxlinux_kernel7.1any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/0f4c9754956b86de158a4af5278c5cf5bda9439e
  • git.kernel.org https://git.kernel.org/stable/c/1490f82353bdabc09265a74e645b07f05cf4188e
  • git.kernel.org https://git.kernel.org/stable/c/28324a3b62d9ce7f9bdd65a8ce63f382041d1b27
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2c054e17d9d41f1020376806c7f750834ced4dc5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3a1bf9116ea31470b89692585c3910dfe830dcdd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/714aa973da8163925eda7efd49361ccbee21ee46
  • git.kernel.org https://git.kernel.org/stable/c/74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/28324a3b62d9ce7f9bdd65a8ce63f382041d1b27
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2c054e17d9d41f1020376806c7f750834ced4dc5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3a1bf9116ea31470b89692585c3910dfe830dcdd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121
    Patch