Skip to main content

Linux Kernel CVE-2026-31700

| EUVDEUVD-2026-26509 HIGH
Race Condition (CWE-362)
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:24 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.8 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26509
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()

In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel validates the header via __packet_snd_vnet_parse() but then re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent userspace thread can modify the vnet_hdr fields between validation and use, bypassing all safety checks.

The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr to a stack-local variable. All other vnet_hdr consumers in the kernel (tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX path is the only caller of virtio_net_hdr_to_skb() that reads directly from user-controlled shared memory.

Fix this by copying vnet_hdr from the mmap'd ring buffer to a stack-local variable before validation and use, consistent with the approach used in packet_snd() and all other callers.

AnalysisAI

Time-of-check-time-of-use (TOCTOU) race condition in Linux kernel's TPACKET transmission path allows local authenticated attackers with low privileges to bypass vnet_hdr validation checks and potentially achieve privilege escalation, code execution, or system compromise. The vulnerability affects packet socket implementations when PACKET_VNET_HDR is enabled, where concurrent userspace threads can modify mmap'd ring buffer data between kernel validation and use. Vendor-released patches are available for stable kernel branches (6.6.136, 6.12.84, 7.0.2, 7.1-rc1). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV), though the high CVSS 7.8 reflects significant local impact potential.

Technical ContextAI

This vulnerability exists in the Linux kernel's AF_PACKET socket implementation, specifically in the TPACKET transmission path (tpacket_snd() function in net/packet/af_packet.c). TPACKET provides a zero-copy mechanism for high-performance packet transmission using memory-mapped ring buffers shared between kernel and userspace. When PACKET_VNET_HDR is enabled (commonly used with virtualization for offload features), the kernel reads virtio_net_hdr structures directly from this shared memory. The vulnerability is a classic TOCTOU race: the kernel validates the vnet_hdr structure via __packet_snd_vnet_parse(), but then re-reads the same fields later in virtio_net_hdr_to_skb() without synchronization. A malicious userspace program can spawn concurrent threads - one issuing sendto() while another modifies the mmap'd vnet_hdr fields after validation but before use, bypassing size checks, GSO validation, or other safety constraints. This differs from the non-TPACKET code path (packet_snd()) and all other kernel vnet_hdr consumers (tun.c, tap.c, virtio_net.c) which correctly copy the header to kernel stack memory before processing. The affected code has existed since commit 1d036d25e560 introduced TPACKET vnet_hdr support, making this a long-standing architectural flaw in the zero-copy optimization.

RemediationAI

Primary remediation is upgrading to patched kernel versions: 6.6.136 or later for 6.6.x LTS series, 6.12.84 or later for 6.12.x series, 7.0.2 or later for 7.0.x series, or 7.1-rc1 and later for mainline. Distribution-specific kernel packages should be updated via normal security update channels (apt, yum, dnf) once vendors backport the fix. Patch commits are available at https://git.kernel.org/stable/c/28324a3b62d9ce7f9bdd65a8ce63f382041d1b27 (and related commits) for manual backporting if necessary. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Restrict CAP_NET_RAW capability to only essential processes via capability bounding sets or AppArmor/SELinux policies - this prevents unprivileged users from creating AF_PACKET sockets but may break legitimate packet capture tools like tcpdump for non-root users; (2) Disable unprivileged user namespaces via sysctl kernel.unprivileged_userns_clone=0 to prevent privilege escalation paths, though this breaks containerized workloads for non-root users; (3) In virtualized environments, avoid using vhost-net with PACKET_VNET_HDR offload where possible, favoring alternative virtio configurations, though this may reduce network performance by 10-30%. Monitor for unexpected AF_PACKET socket creation via auditd rules (auditctl -a always,exit -F arch=b64 -S socket -F a0=17). Note that workarounds only reduce attack surface and do not eliminate the race condition for privileged processes that legitimately use TPACKET.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31700 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy