CVE-2026-31700
- Source
- https://cve.org/CVERecord?id=CVE-2026-31700
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31700.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-31700
- Downstream
- Related
- Published
- 2026-05-01T13:56:00.205Z
- Modified
- 2026-05-18T05:59:53.967508811Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net/packet: fix TOCTOU race on mmap'd vnethdr in tpacketsnd()
In tpacketsnd(), when PACKETVNETHDR is enabled, vnethdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel validates the header via __packetsndvnetparse() but then re-reads all fields later in virtionethdrtoskb(). A concurrent userspace thread can modify the vnethdr fields between validation and use, bypassing all safety checks.
The non-TPACKET path (packetsnd()) already correctly copies vnethdr to a stack-local variable. All other vnethdr consumers in the kernel (tun.c, tap.c, virtionet.c) also use stack copies. The TPACKET TX path is the only caller of virtionethdrtoskb() that reads directly from user-controlled shared memory.
Fix this by copying vnethdr from the mmap'd ring buffer to a stack-local variable before validation and use, consistent with the approach used in packetsnd() and all other callers.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31700.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/28324a3b62d9ce7f9bdd65a8ce63f382041d1b27
- https://git.kernel.org/stable/c/2c054e17d9d41f1020376806c7f750834ced4dc5
- https://git.kernel.org/stable/c/3a1bf9116ea31470b89692585c3910dfe830dcdd
- https://git.kernel.org/stable/c/48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b
- https://git.kernel.org/stable/c/74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31700.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-31700
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1d036d25e5609ba73fee6a88db01c306b140d512Fixed74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121Fixed3a1bf9116ea31470b89692585c3910dfe830dcddFixed28324a3b62d9ce7f9bdd65a8ce63f382041d1b27Fixed48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804bFixed2c054e17d9d41f1020376806c7f750834ced4dc5