CVE-2026-31469

Source
https://cve.org/CVERecord?id=CVE-2026-31469
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31469.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31469
Downstream
Related
Published
2026-04-22T13:53:58.266Z
Modified
2026-07-02T09:29:15.589003627Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false
Details

In the Linux kernel, the following vulnerability has been resolved:

virtionet: Fix UAF on dstops when IFFXMITDSTRELEASE is cleared and napitx is false

A UAF issue occurs when the virtionet driver is configured with napitx=N and the device's IFFXMITDST_RELEASE flag is cleared (e.g., during the configuration of tc route filter rules).

When IFFXMITDSTRELEASE is removed from the netdevice, the network stack expects the driver to hold the reference to skb->dst until the packet is fully transmitted and freed. In virtionet with napitx=N, skbs may remain in the virtio transmit ring for an extended period.

If the network namespace is destroyed while these skbs are still pending, the corresponding dstops structure has freed. When a subsequent packet is transmitted, freeoldxmit() is triggered to clean up old skbs. It then calls dstrelease() on the skb associated with the stale dstentry. Since the dstops (referenced by the dst_entry) has already been freed, a UAF kernel paging request occurs.

fix it by adds skbdstdrop(skb) in startxmit to explicitly release the dst reference before the skb is queued in virtionet.

Call Trace: Unable to handle kernel paging request at virtual address ffff80007e150000 CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT ... percpucounteraddbatch+0x3c/0x158 lib/percpucounter.c:98 (P) dstrelease+0xe0/0x110 net/core/dst.c:177 skbreleaseheadstate+0xe8/0x108 net/core/skbuff.c:1177 skskbreasondrop+0x54/0x2d8 net/core/skbuff.c:1255 devkfreeskbanyreason+0x64/0x78 net/core/dev.c:3469 napiconsume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527 _freeoldxmit+0x164/0x230 drivers/net/virtionet.c:611 [virtionet] freeoldxmit drivers/net/virtionet.c:1081 [virtionet] startxmit+0x7c/0x530 drivers/net/virtionet.c:3329 [virtionet] ...

Reproduction Steps: NETDEV="enp3s0"

configqdiscroute_filter() { tc qdisc del dev $NETDEV root tc qdisc add dev $NETDEV root handle 1: prio tc filter add dev $NETDEV parent 1:0 \ protocol ip prio 100 route to 100 flowid 1:1 ip route add 192.168.1.100/32 dev $NETDEV realm 100 }

test_ns() { ip netns add testns ip link set $NETDEV netns testns ip netns exec testns ifconfig $NETDEV 10.0.32.46/24 ip netns exec testns ping -c 1 10.0.32.1 ip netns del testns }

configqdiscroute_filter

testns sleep 2 testns

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31469.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f2fc6a54585a1be6669613a31fbaba2ecbadcd36
Fixed
be0e63f3b97bbaf453c542e8a15ba2a536e2ac01
Fixed
c1ec36cb3768574b916f20d2d7415fd14fa1bf12
Fixed
8a4790850e710fd6771e4d2112168ed1dd6c0e54
Fixed
fedd2e1630cac920844997227ccbe7b26a76375a
Fixed
f04733c4dc40c43899c3d1c97afbae5831a3770f
Fixed
9a18629f2525781f0f3dda7be72b204e4cf77d08
Fixed
63d45077b97bb0e0fe0c75931acbbca7a47af141
Fixed
ba8bda9a0896746053aa97ac6c3e08168729172c

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31469.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.26
Fixed
5.10.253
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.203
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.168
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.131
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.80
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.21
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.11

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31469.json"