Skip to main content

Linux Kernel EUVDEUVD-2026-24817

| CVE-2026-31469 HIGH
Use After Free (CWE-416)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vggv-f293-vmjw
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:31 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24817
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

A UAF issue occurs when the virtio_net driver is configured with napi_tx=N and the device's IFF_XMIT_DST_RELEASE flag is cleared (e.g., during the configuration of tc route filter rules).

When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack expects the driver to hold the reference to skb->dst until the packet is fully transmitted and freed. In virtio_net with napi_tx=N, skbs may remain in the virtio transmit ring for an extended period.

If the network namespace is destroyed while these skbs are still pending, the corresponding dst_ops structure has freed. When a subsequent packet is transmitted, free_old_xmit() is triggered to clean up old skbs. It then calls dst_release() on the skb associated with the stale dst_entry. Since the dst_ops (referenced by the dst_entry) has already been freed, a UAF kernel paging request occurs.

fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release the dst reference before the skb is queued in virtio_net.

Call Trace: Unable to handle kernel paging request at virtual address ffff80007e150000 CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT ... percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P) dst_release+0xe0/0x110 net/core/dst.c:177 skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177 sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255 dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469 napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527 __free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net] free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net] start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net] ...

Reproduction Steps: NETDEV="enp3s0"

config_qdisc_route_filter() { tc qdisc del dev $NETDEV root tc qdisc add dev $NETDEV root handle 1: prio tc filter add dev $NETDEV parent 1:0 \ protocol ip prio 100 route to 100 flowid 1:1 ip route add 192.168.1.100/32 dev $NETDEV realm 100 }

test_ns() { ip netns add testns ip link set $NETDEV netns testns ip netns exec testns ifconfig $NETDEV 10.0.32.46/24 ip netns exec testns ping -c 1 10.0.32.1 ip netns del testns }

config_qdisc_route_filter

test_ns sleep 2 test_ns

AnalysisAI

Use-after-free in Linux kernel virtio_net driver allows local authenticated attackers with low privileges to potentially achieve high confidentiality, integrity, and availability impact. The flaw triggers when virtio_net is configured with napi_tx=N (non-NAPI transmit mode) and the IFF_XMIT_DST_RELEASE flag is cleared by tc route filter rules. When a network namespace is destroyed while packets remain queued in the virtio transmit ring, the freed dst_ops structure is later dereferenced during packet cleanup, causing kernel memory corruption. Vendor patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation, and no active exploitation or public POC has been identified at time of analysis.

Technical ContextAI

The vulnerability resides in the virtio_net network driver, which provides paravirtualized network interfaces for virtual machines. The issue involves improper lifecycle management of socket buffer (skb) destination entries when operating in legacy non-NAPI transmit mode (napi_tx=N parameter). The IFF_XMIT_DST_RELEASE flag normally allows the network stack to release skb->dst references early for performance, but when this flag is cleared-such as during Traffic Control (tc) route filter configuration-the driver must hold dst references until transmission completes. In virtio_net's non-NAPI mode, skbs can remain queued in the virtqueue ring for extended periods. If the network namespace containing the associated dst_ops structure is destroyed while packets are still pending, subsequent calls to free_old_xmit() during new transmissions trigger dst_release() on already-freed dst_ops structures. The fix adds explicit skb_dst_drop() calls in start_xmit to release dst references before queueing, preventing the use-after-free condition. This represents a classic reference counting and object lifetime management issue in kernel networking code, exacerbated by the asynchronous nature of virtio ring processing.

RemediationAI

Apply vendor-supplied kernel patches immediately for affected stable branches. Upgrade to Linux kernel 5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, or 7.0 mainline depending on your distribution's kernel version. Upstream patches are available at git.kernel.org stable tree (see references for specific commit hashes per branch). For systems where immediate patching is not feasible, implement the following compensating controls with noted trade-offs: (1) Configure virtio_net with napi_tx=Y (NAPI transmit mode enabled) if not already default-this is the recommended configuration and eliminates the vulnerable code path, but may require module reload or reboot; verify compatibility with workload as NAPI mode changes interrupt handling behavior. (2) Avoid configuring tc route filters that manipulate the IFF_XMIT_DST_RELEASE flag-specifically, do not use 'tc filter add ... route to' rules on virtio_net interfaces; this eliminates the trigger condition but restricts traffic control capabilities. (3) Restrict unprivileged user namespace creation via kernel.unprivileged_userns_clone=0 sysctl or AppArmor/SELinux policies to prevent namespace destruction timing attacks; this reduces attack surface but may break containerized applications requiring user namespaces. All compensating controls should be considered temporary until patching is completed. No performance degradation is expected from the kernel patch itself as it only adds explicit dst reference release.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24817 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy