Skip to main content

Linux Kernel CVE-2026-31429

| EUVDEUVD-2026-23816 MEDIUM
Memory Leak (CWE-401)
2026-04-20 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.6 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 20, 2026 - 19:39 vuln.today
CVSS changed
May 20, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 20, 2026 - 11:16 EUVD
EUVD ID Assigned
Apr 20, 2026 - 10:15 euvd
EUVD-2026-23816
CVE Published
Apr 20, 2026 - 09:43 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: skb: fix cross-cache free of KFENCE-allocated skb head

SKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2 value (e.g. 704 on x86_64) to avoid collisions with generic kmalloc bucket sizes. This ensures that skb_kfree_head() can reliably use skb_end_offset to distinguish skb heads allocated from skb_small_head_cache vs. generic kmalloc caches.

However, when KFENCE is enabled, kfence_ksize() returns the exact requested allocation size instead of the slab bucket size. If a caller (e.g. bpf_test_init) allocates skb head data via kzalloc() and the requested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then slab_build_skb() -> ksize() returns that exact value. After subtracting skb_shared_info overhead, skb_end_offset ends up matching SKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free the object to skb_small_head_cache instead of back to the original kmalloc cache, resulting in a slab cross-cache free:

kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected skbuff_small_head but got kmalloc-1k

Fix this by always calling kfree(head) in skb_kfree_head(). This keeps the free path generic and avoids allocator-specific misclassification for KFENCE objects.

AnalysisAI

Cross-cache slab free in the Linux kernel's socket buffer (SKB) subsystem allows a local authenticated attacker to trigger a kernel panic and denial of service on systems where KFENCE is enabled. When KFENCE intercepts a kzalloc() call whose requested size exactly matches SKB_SMALL_HEAD_CACHE_SIZE, the computed skb_end_offset misleads skb_kfree_head() into freeing the object to skb_small_head_cache instead of the originating kmalloc cache, corrupting slab allocator state. No public exploit is identified at time of analysis and EPSS is 0.02% (4th percentile), placing this firmly in the low-urgency tier absent a KFENCE-enabled production environment.

Technical ContextAI

The Linux kernel maintains a specialized slab cache (skb_small_head_cache) for socket buffer heads, intentionally sized at a non-power-of-2 value - 704 bytes on x86_64 - so that skb_kfree_head() can use skb_end_offset as a reliable sentinel to distinguish it from generic kmalloc buckets. KFENCE (Kernel Electric Fence, CONFIG_KFENCE) is a sampling-based, low-overhead memory safety tool; when active, kfence_ksize() returns the exact requested allocation size rather than the slab bucket size. This breaks the sentinel assumption: if bpf_test_init (or any caller) issues kzalloc() with a size equal to SKB_SMALL_HEAD_CACHE_SIZE and KFENCE intercepts the allocation, the slab_build_skb() -> ksize() call returns the exact value, causing skb_end_offset after subtracting skb_shared_info overhead to equal SKB_SMALL_HEAD_HEADROOM. The free path then routes the object to the wrong cache, producing a 'Wrong slab cache. Expected skbuff_small_head but got kmalloc-1k' splat. CWE-401 (improper release of memory) describes the root cause class: memory is released to an incorrect allocator context, leading to slab state corruption. CPE data identifies the affected product as cpe:2.3:a:linux:linux across multiple stable branches.

RemediationAI

The primary fix is to upgrade to a patched kernel version: 6.12.82, 6.18.23, 6.19.13, or mainline 7.0, as confirmed by EUVD affected version data. Upstream stable patches are available at https://git.kernel.org/stable/c/60313768a8edc7094435975587c00c2d7b834083, https://git.kernel.org/stable/c/2d64618ea846d8d033477311f805ca487d6a6696, https://git.kernel.org/stable/c/474e00b935db250cac320d10c1d3cf4e44b46721, and https://git.kernel.org/stable/c/0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516. Where patching is not immediately feasible on KFENCE-enabled systems, the compensating control is to disable KFENCE by setting kfence.sample_interval=0 on the kernel command line or by rebuilding with CONFIG_KFENCE=n; this eliminates the vulnerable allocation-size reporting path entirely. The trade-off is loss of KFENCE's memory safety detection capability, relevant only to environments using it deliberately for kernel debugging or fuzzing. Production systems without KFENCE enabled are not affected and require no immediate action beyond scheduling the next routine kernel update.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31429 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy