CVE-2026-31516

In the Linux kernel, the following vulnerability has been resolved:

xfrm: prevent policy_hthresh.work from racing with netns teardown

A XFRMMSGNEWSPDINFO request can queue the per-net work item policy_hthresh.work onto the system workqueue.

The queued callback, xfrmhashrebuild(), retrieves the enclosing struct net via containerof(). If the net namespace is torn down before that work runs, the associated struct net may already have been freed, and xfrmhash_rebuild() may then dereference stale memory.

xfrmpolicyfini() already flushes policyhashwork during teardown, but it does not synchronize policy_hthresh.work.

Synchronize policyhthresh.work in xfrmpolicy_fini() as well, so the queued work cannot outlive the net namespace teardown and access a freed struct net.