Skip to main content

Linux Kernel EUVDEUVD-2026-24881

| CVE-2026-31504 HIGH
Use After Free (CWE-416)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5v9p-3rfc-6rw2
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.3 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 15:22 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 15:07 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:24 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24881
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: fix fanout UAF in packet_release() via NETDEV_UP race

packet_release() has a race window where NETDEV_UP can re-register a socket into a fanout group's arr[] array. The re-registration is not cleaned up by fanout_release(), leaving a dangling pointer in the fanout array. packet_release() does NOT zero po->num in its bind_lock section. After releasing bind_lock, po->num is still non-zero and po->ifindex still matches the bound device. A concurrent packet_notifier(NETDEV_UP) that already found the socket in sklist can re-register the hook. For fanout sockets, this re-registration calls __fanout_link(sk, po) which adds the socket back into f->arr[] and increments f->num_members, but does NOT increment f->sk_ref.

The fix sets po->num to zero in packet_release while bind_lock is held to prevent NETDEV_UP from linking, preventing the race window.

This bug was found following an additional audit with Claude Code based on CVE-2025-38617.

AnalysisAI

Use-after-free in Linux kernel packet socket handling allows local attackers with low privileges to achieve kernel memory corruption, potentially leading to privilege escalation, information disclosure, or denial of service. The vulnerability stems from a race condition in packet_release() where NETDEV_UP events can re-register a socket into a fanout group's array after cleanup begins but before the socket number is zeroed, leaving dangling pointers. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score is low (0.02%, 7th percentile) and no active exploitation is confirmed (not in CISA KEV), suggesting limited real-world exploitation despite high CVSS 7.8 rating.

Technical ContextAI

This vulnerability affects the Linux kernel's AF_PACKET socket implementation, specifically the packet fanout mechanism used for load-balancing packet capture across multiple sockets. Fanout groups maintain an array of member sockets for distributing packets. The race condition occurs during socket cleanup in packet_release() when it releases the bind_lock before zeroing po->num (the protocol number field). If a NETDEV_UP network device notification arrives during this window, the packet_notifier() function can call __fanout_link() to re-register the socket into the fanout array. This creates a use-after-free condition because the socket is simultaneously being released while being added back to active data structures. The fanout reference counting becomes inconsistent (f->num_members incremented but f->sk_ref not incremented), leading to potential memory corruption. The vulnerability was introduced in commit ce06b03e60fc and affects kernel versions from 3.1 onward until patched. The fix addresses the root cause by setting po->num to zero within the bind_lock critical section, preventing the notification handler from identifying the socket as eligible for re-registration.

RemediationAI

Upgrade to patched kernel versions: 5.10.253 or later for 5.10.x LTS branch, 5.15.203+ for 5.15.x LTS, 6.1.168+ for 6.1.x LTS, 6.6.131+ for 6.6.x stable, 6.12.80+ for 6.12.x, 6.18.21+ for 6.18.x, 6.19.11+ for 6.19.x, or 7.0+ for mainline. Fix commits are referenced at https://git.kernel.org/stable/ with specific commit hashes for each branch. If immediate kernel upgrade is not feasible, consider compensating controls: restrict access to AF_PACKET sockets by setting /proc/sys/kernel/unprivileged_userns_clone to 0 to prevent unprivileged users from creating network namespaces (may break containerized applications), use kernel capabilities restrictions via seccomp or AppArmor to deny CAP_NET_RAW to untrusted processes (prevents packet socket creation but breaks legitimate packet capture tools like tcpdump for those users), or restrict user shell access in multi-tenant environments. These mitigations reduce attack surface but do not eliminate the vulnerability; kernel patching remains the definitive solution. Verify patch application by checking kernel version with 'uname -r' and confirming it matches or exceeds the patched versions listed above.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24881 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy