{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31469", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.097Z", "datePublished": "2026-04-22T13:53:58.266Z", "dateUpdated": "2026-04-22T13:53:58.266Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:53:58.266Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false\n\nA UAF issue occurs when the virtio_net driver is configured with napi_tx=N\nand the device's IFF_XMIT_DST_RELEASE flag is cleared\n(e.g., during the configuration of tc route filter rules).\n\nWhen IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack\nexpects the driver to hold the reference to skb->dst until the packet\nis fully transmitted and freed. In virtio_net with napi_tx=N,\nskbs may remain in the virtio transmit ring for an extended period.\n\nIf the network namespace is destroyed while these skbs are still pending,\nthe corresponding dst_ops structure has freed. When a subsequent packet\nis transmitted, free_old_xmit() is triggered to clean up old skbs.\nIt then calls dst_release() on the skb associated with the stale dst_entry.\nSince the dst_ops (referenced by the dst_entry) has already been freed,\na UAF kernel paging request occurs.\n\nfix it by adds skb_dst_drop(skb) in start_xmit to explicitly release\nthe dst reference before the skb is queued in virtio_net.\n\nCall Trace:\n Unable to handle kernel paging request at virtual address ffff80007e150000\n CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT\n ...\n percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)\n dst_release+0xe0/0x110 net/core/dst.c:177\n skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177\n sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255\n dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469\n napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527\n __free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net]\n free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]\n start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]\n ...\n\nReproduction Steps:\nNETDEV=\"enp3s0\"\n\nconfig_qdisc_route_filter() {\n tc qdisc del dev $NETDEV root\n tc qdisc add dev $NETDEV root handle 1: prio\n tc filter add dev $NETDEV parent 1:0 \\\n\tprotocol ip prio 100 route to 100 flowid 1:1\n ip route add 192.168.1.100/32 dev $NETDEV realm 100\n}\n\ntest_ns() {\n ip netns add testns\n ip link set $NETDEV netns testns\n ip netns exec testns ifconfig $NETDEV 10.0.32.46/24\n ip netns exec testns ping -c 1 10.0.32.1\n ip netns del testns\n}\n\nconfig_qdisc_route_filter\n\ntest_ns\nsleep 2\ntest_ns"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/virtio_net.c"], "versions": [{"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36", "lessThan": "be0e63f3b97bbaf453c542e8a15ba2a536e2ac01", "status": "affected", "versionType": "git"}, {"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36", "lessThan": "c1ec36cb3768574b916f20d2d7415fd14fa1bf12", "status": "affected", "versionType": "git"}, {"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36", "lessThan": "8a4790850e710fd6771e4d2112168ed1dd6c0e54", "status": "affected", "versionType": "git"}, {"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36", "lessThan": "fedd2e1630cac920844997227ccbe7b26a76375a", "status": "affected", "versionType": "git"}, {"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36", "lessThan": "f04733c4dc40c43899c3d1c97afbae5831a3770f", "status": "affected", "versionType": "git"}, {"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36", "lessThan": "9a18629f2525781f0f3dda7be72b204e4cf77d08", "status": "affected", "versionType": "git"}, {"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36", "lessThan": "63d45077b97bb0e0fe0c75931acbbca7a47af141", "status": "affected", "versionType": "git"}, {"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36", "lessThan": "ba8bda9a0896746053aa97ac6c3e08168729172c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/virtio_net.c"], "versions": [{"version": "2.6.26", "status": "affected"}, {"version": "0", "lessThan": "2.6.26", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/be0e63f3b97bbaf453c542e8a15ba2a536e2ac01"}, {"url": "https://git.kernel.org/stable/c/c1ec36cb3768574b916f20d2d7415fd14fa1bf12"}, {"url": "https://git.kernel.org/stable/c/8a4790850e710fd6771e4d2112168ed1dd6c0e54"}, {"url": "https://git.kernel.org/stable/c/fedd2e1630cac920844997227ccbe7b26a76375a"}, {"url": "https://git.kernel.org/stable/c/f04733c4dc40c43899c3d1c97afbae5831a3770f"}, {"url": "https://git.kernel.org/stable/c/9a18629f2525781f0f3dda7be72b204e4cf77d08"}, {"url": "https://git.kernel.org/stable/c/63d45077b97bb0e0fe0c75931acbbca7a47af141"}, {"url": "https://git.kernel.org/stable/c/ba8bda9a0896746053aa97ac6c3e08168729172c"}], "title": "virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false\n\nA UAF issue occurs when the virtio_net driver is configured with napi_tx=N\nand the device's IFF_XMIT_DST_RELEASE flag is cleared\n(e.g., during the configuration of tc route filter rules).\n\nWhen IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack\nexpects the driver to hold the reference to skb->dst until the packet\nis fully transmitted and freed. In virtio_net with napi_tx=N,\nskbs may remain in the virtio transmit ring for an extended period.\n\nIf the network namespace is destroyed while these skbs are still pending,\nthe corresponding dst_ops structure has freed. When a subsequent packet\nis transmitted, free_old_xmit() is triggered to clean up old skbs.\nIt then calls dst_release() on the skb associated with the stale dst_entry.\nSince the dst_ops (referenced by the dst_entry) has already been freed,\na UAF kernel paging request occurs.\n\nfix it by adds skb_dst_drop(skb) in start_xmit to explicitly release\nthe dst reference before the skb is queued in virtio_net.\n\nCall Trace:\n Unable to handle kernel paging request at virtual address ffff80007e150000\n CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT\n ...\n percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)\n dst_release+0xe0/0x110 net/core/dst.c:177\n skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177\n sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255\n dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469\n napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527\n __free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net]\n free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]\n start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]\n ...\n\nReproduction Steps:\nNETDEV=\"enp3s0\"\n\nconfig_qdisc_route_filter() {\n tc qdisc del dev $NETDEV root\n tc qdisc add dev $NETDEV root handle 1: prio\n tc filter add dev $NETDEV parent 1:0 \\\n\tprotocol ip prio 100 route to 100 flowid 1:1\n ip route add 192.168.1.100/32 dev $NETDEV realm 100\n}\n\ntest_ns() {\n ip netns add testns\n ip link set $NETDEV netns testns\n ip netns exec testns ifconfig $NETDEV 10.0.32.46/24\n ip netns exec testns ping -c 1 10.0.32.1\n ip netns del testns\n}\n\nconfig_qdisc_route_filter\n\ntest_ns\nsleep 2\ntest_ns"}], "id": "CVE-2026-31469", "lastModified": "2026-04-22T14:16:43.260", "metrics": {}, "published": "2026-04-22T14:16:43.260", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/63d45077b97bb0e0fe0c75931acbbca7a47af141"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8a4790850e710fd6771e4d2112168ed1dd6c0e54"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9a18629f2525781f0f3dda7be72b204e4cf77d08"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ba8bda9a0896746053aa97ac6c3e08168729172c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/be0e63f3b97bbaf453c542e8a15ba2a536e2ac01"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c1ec36cb3768574b916f20d2d7415fd14fa1bf12"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f04733c4dc40c43899c3d1c97afbae5831a3770f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fedd2e1630cac920844997227ccbe7b26a76375a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f2fc6a54585a1be6669613a31fbaba2ecbadcd36,be0e63f3b97bbaf453c542e8a15ba2a536e2ac01)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f2fc6a54585a1be6669613a31fbaba2ecbadcd36,c1ec36cb3768574b916f20d2d7415fd14fa1bf12)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f2fc6a54585a1be6669613a31fbaba2ecbadcd36,8a4790850e710fd6771e4d2112168ed1dd6c0e54)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f2fc6a54585a1be6669613a31fbaba2ecbadcd36,fedd2e1630cac920844997227ccbe7b26a76375a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f2fc6a54585a1be6669613a31fbaba2ecbadcd36,f04733c4dc40c43899c3d1c97afbae5831a3770f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f2fc6a54585a1be6669613a31fbaba2ecbadcd36,9a18629f2525781f0f3dda7be72b204e4cf77d08)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f2fc6a54585a1be6669613a31fbaba2ecbadcd36,63d45077b97bb0e0fe0c75931acbbca7a47af141)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f2fc6a54585a1be6669613a31fbaba2ecbadcd36,ba8bda9a0896746053aa97ac6c3e08168729172c)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.26"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.26)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.253,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.203,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T19:00:23.072474+00:00", "value": {"mitigation_remediation": ["Apply the Linux kernel update that includes the commit referenced in the advisory (e.g., update to any kernel version that contains the skb_dst_drop addition to virtio_net start_xmit).", "If immediate kernel update is not possible, refrain from destroying network namespaces while packets may still be queued in virtio_net and limit manipulation of IFF_XMIT_DST_RELEASE and route filter qdiscs.", "After upgrading, rebuild any custom kernel modules and verify that the virtio_net module reflects the updated commit hash."], "summary": {"action": "Apply patch", "impact": "Use\u2011After\u2011Free leading to kernel crash"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Linux kernel, specifically the virtio_net driver module. Version information is not enumerated in the advisory; however, the issue was confirmed against a 7.0.0\u2011rc1 kernel instance and is likely present in all kernels that have not applied the commit that introduces skb_dst_drop in start_xmit.", "description_and_impact": "A use\u2011after\u2011free occurs when the virtio_net driver runs with napi_tx disabled and the IFF_XMIT_DST_RELEASE flag is cleared while transmitted packets remain in the virtio ring; destroying the network namespace frees the underlying dst_ops structure, causing a subsequent packet transmission to dereference a freed pointer and trigger a kernel paging request. The flaw is a classic Use\u2011After\u2011Free (CWE\u2011416) that results in an unconditional crash and denial of service rather than arbitrary code execution.", "risk_and_exploitability": "The CVSS score is not provided and EPSS is unavailable; the vulnerability is not listed in CISA KEV. Exploitation requires a local user with the ability to create and delete network namespaces or manipulate netlink qdisc settings, which effectively grants root or at least kernel\u2011module capability. Given that the impact is a forced kernel panic, the risk is high for affected systems, but the vector is limited to privileged locals. In practice, operators should assess whether they run untrusted software with netns or tc access before applying this fix."}}}}, "created": "2026-04-22T16:45:21.251810+00:00", "updated": "2026-04-22T19:15:24.473882+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}