{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31504", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.105Z", "datePublished": "2026-04-22T13:54:23.862Z", "dateUpdated": "2026-04-22T13:54:23.862Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:54:23.862Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group's `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po->num` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f->arr[]` and increments `f->num_members`,\nbut does NOT increment `f->sk_ref`.\n\nThe fix sets `po->num` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/packet/af_packet.c"], "versions": [{"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "ee642b1962caa9aa231c01abbd58bc453ae6b66e", "status": "affected", "versionType": "git"}, {"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "42cfd7898eeed290c9fb73f732af1f7d6b0a703e", "status": "affected", "versionType": "git"}, {"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "1b4c03f8892d955385c202009af7485364731bb9", "status": "affected", "versionType": "git"}, {"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "654386baef228c2992dbf604c819e4c7c35fc71b", "status": "affected", "versionType": "git"}, {"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "75fe6db23705a1d55160081f7b37db9665b1880b", "status": "affected", "versionType": "git"}, {"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6", "status": "affected", "versionType": "git"}, {"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "ceccbfc6de720ad633519a226715989cfb065af1", "status": "affected", "versionType": "git"}, {"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "42156f93d123436f2a27c468f18c966b7e5db796", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/packet/af_packet.c"], "versions": [{"version": "3.1", "status": "affected"}, {"version": "0", "lessThan": "3.1", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ee642b1962caa9aa231c01abbd58bc453ae6b66e"}, {"url": "https://git.kernel.org/stable/c/42cfd7898eeed290c9fb73f732af1f7d6b0a703e"}, {"url": "https://git.kernel.org/stable/c/1b4c03f8892d955385c202009af7485364731bb9"}, {"url": "https://git.kernel.org/stable/c/654386baef228c2992dbf604c819e4c7c35fc71b"}, {"url": "https://git.kernel.org/stable/c/75fe6db23705a1d55160081f7b37db9665b1880b"}, {"url": "https://git.kernel.org/stable/c/d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6"}, {"url": "https://git.kernel.org/stable/c/ceccbfc6de720ad633519a226715989cfb065af1"}, {"url": "https://git.kernel.org/stable/c/42156f93d123436f2a27c468f18c966b7e5db796"}], "title": "net: fix fanout UAF in packet_release() via NETDEV_UP race", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group's `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po->num` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f->arr[]` and increments `f->num_members`,\nbut does NOT increment `f->sk_ref`.\n\nThe fix sets `po->num` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617."}], "id": "CVE-2026-31504", "lastModified": "2026-04-22T14:16:49.040", "metrics": {}, "published": "2026-04-22T14:16:49.040", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1b4c03f8892d955385c202009af7485364731bb9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/42156f93d123436f2a27c468f18c966b7e5db796"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/42cfd7898eeed290c9fb73f732af1f7d6b0a703e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/654386baef228c2992dbf604c819e4c7c35fc71b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/75fe6db23705a1d55160081f7b37db9665b1880b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ceccbfc6de720ad633519a226715989cfb065af1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ee642b1962caa9aa231c01abbd58bc453ae6b66e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ce06b03e60fc19c680d1bf873e779bf11c2fc518,ee642b1962caa9aa231c01abbd58bc453ae6b66e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ce06b03e60fc19c680d1bf873e779bf11c2fc518,42cfd7898eeed290c9fb73f732af1f7d6b0a703e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ce06b03e60fc19c680d1bf873e779bf11c2fc518,1b4c03f8892d955385c202009af7485364731bb9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ce06b03e60fc19c680d1bf873e779bf11c2fc518,654386baef228c2992dbf604c819e4c7c35fc71b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ce06b03e60fc19c680d1bf873e779bf11c2fc518,75fe6db23705a1d55160081f7b37db9665b1880b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ce06b03e60fc19c680d1bf873e779bf11c2fc518,d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ce06b03e60fc19c680d1bf873e779bf11c2fc518,ceccbfc6de720ad633519a226715989cfb065af1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ce06b03e60fc19c680d1bf873e779bf11c2fc518,42156f93d123436f2a27c468f18c966b7e5db796)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.253,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.203,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T18:43:49.100048+00:00", "value": {"mitigation_remediation": ["update the kernel to a version that includes the commit fixing packet_release() and fanout race conditions", "review and incorporate any available patches from the linked Git kernel commits into custom kernel builds", "ensure that configuration and custom network drivers do not otherwise expose raw packet sockets to untrusted users, and consider disabling fanout on sensitive interfaces if not required"], "summary": {"action": "Apply patch", "impact": "Execution of code due to a kernel use\u2011after\u2011free"}, "threat_synthesis": {"affected_systems": "All Linux kernels versions prior to the fix commit (see references) are affected. The exact version range is not specified in the data, but any kernel build lacking the patch that sets po->num to zero inside packet_release() is vulnerable. This includes kernels that ship without the accompanying audit commit and those that have not incorporated the change from the provided Git commits.", "description_and_impact": "The Linux kernel bug allows a race between packet_release() and a NETDEV_UP event that re\u2011registers a socket into a fanout group's array, leaving a dangling pointer and an unreset counter. Because the socket is later accessed through this dangling reference, an attacker who can control or influence socket lifecycle can potentially execute arbitrary code with kernel privileges. The weakness is a classic use\u2011after\u2011free race condition. The description does not detail a confirmed exploitation path, but the nature of the flaw warrants concern for code execution and privilege escalation.", "risk_and_exploitability": "The CVSS score is not supplied, but the bug involves a use\u2011after\u2011free with a potential for arbitrary code execution, indicating high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widely known exploitation yet. The likely attack vector would require local access to a process that can create and manipulate raw packet sockets and can trigger a NETDEV_UP event, such as by switching a network interface. The presence of the race window means that timely ordering of packet_release() and NETDEV_UP is critical for exploitation. If an attacker can orchestrate these events, they could hold an arbitrary kernel pointer and influence kernel memory."}}}}, "created": "2026-04-22T18:00:05.276443+00:00", "updated": "2026-04-22T18:45:24.012649+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}