OESA-2026-2310

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

net: fix fanout UAF in packetrelease() via NETDEVUP race

packet_release() has a race window where NETDEV_UP can re-register a socket into a fanout group's arr[] array. The re-registration is not cleaned up by fanout_release(), leaving a dangling pointer in the fanout array. packet_release() does NOT zero po->num in its bind_lock section. After releasing bind_lock, po->num is still non-zero and po->ifindex still matches the bound device. A concurrent packet_notifier(NETDEV_UP) that already found the socket in sklist can re-register the hook. For fanout sockets, this re-registration calls __fanout_link(sk, po) which adds the socket back into f->arr[] and increments f->num_members, but does NOT increment f->sk_ref.

The fix sets po->num to zero in packet_release while bind_lock is held to prevent NETDEV_UP from linking, preventing the race window.

This bug was found following an additional audit with Claude Code based on CVE-2025-38617.(CVE-2026-31504)

In the Linux kernel, the following vulnerability has been resolved:

afkey: validate families in pfkeysend_migrate()

syzbot was able to trigger a crash in skb_put() [1]

Issue is that pfkeysendmigrate() does not check old/new families, and that set_ipsecrequest() @family argument was truncated, thus possibly overfilling the skb.

Validate families early, do not wait set_ipsecrequest().

[1]

skbuff: skboverpanic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL> kernel BUG at net/core/skbuff.c:214 ! Call Trace: <TASK> skboverpanic net/core/skbuff.c:219 [inline] skbput+0x159/0x210 net/core/skbuff.c:2655 skbputzero include/linux/skbuff.h:2788 [inline] setipsecrequest net/key/afkey.c:3532 [inline] pfkeysendmigrate+0x1270/0x2e50 net/key/afkey.c:3636 kmmigrate+0x155/0x260 net/xfrm/xfrmstate.c:2848 xfrmmigrate+0x2140/0x2450 net/xfrm/xfrmpolicy.c:4705 xfrmdomigrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150(CVE-2026-31515)

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: proc: size address buffers for %pISpc output

The AF_RXRPC procfs helpers format local and remote socket addresses into fixed 50-byte stack buffers with "%pISpc".

That is too small for the longest current-tree IPv6-with-port form the formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a dotted-quad tail not only for v4mapped addresses, but also for ISATAP addresses via ipv6addris_isatap().

As a result, a case such as

is possible with the current formatter. That is 50 visible characters, so 51 bytes including the trailing NUL, which does not fit in the existing char[50] buffers used by net/rxrpc/proc.c.

Size the buffers from the formatter's maximum textual form and switch the call sites to scnprintf().

Changes since v1: - correct the changelog to cite the actual maximum current-tree case explicitly - frame the proof around the ISATAP formatting path instead of the earlier mapped-v4 example(CVE-2026-31630)

In the Linux kernel, the following vulnerability has been resolved:

afunix: read UNIXDIAGVFS data under unixstate_lock

Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unixreleasesock() clears u->path under unixstatelock() and drops the path reference after unlocking.

Read the inode and device numbers for UNIXDIAGVFS while holding unixstatelock(), then emit the netlink attribute after dropping the lock.

This keeps the VFS data stable while the reply is being built.(CVE-2026-31673)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ip6trt: reject oversized addrnr in rtmt6_check()

Reject rt match rules whose addrnr exceeds IP6TRTHOPS.

rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation so malformed rules are rejected before the match logic can use an out-of-range value.(CVE-2026-31674)

In the Linux kernel, the following vulnerability has been resolved:

bridge: brndsend: linearize skb before parsing ND options

brndsend() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request.

Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer.

Linearize request before option parsing and derive ns from the linear network header.(CVE-2026-31682)

In the Linux kernel xfrm/ESP (IPsec) subsystem, when appending pipe pages to network packets (skb) via zero-copy mechanisms such as splice() / MSGSPLICEPAGES, IPv4/IPv6 datagram paths are not correctly marked with the SKBFLSHAREDFRAG flag. The ESP receive path incorrectly treats these externally owned shared pages as private data, skipping the COW (copy-on-write) step and performing in-place decryption directly, allowing an attacker to pollute otherwise read-only pages in the page cache. Combined with CVE-2026-43500, a complete exploit chain can be formed, allowing local unprivileged users to obtain root privileges. This vulnerability affects almost all Linux distributions since 2017 (kernel ~ 4.10), including Ubuntu, RHEL, AlmaLinux, Debian, Fedora, etc. A public PoC has been released and signs of active exploitation have been observed.(CVE-2026-43284)