Skip to main content

Linux Kernel EUVDEUVD-2026-24900

| CVE-2026-31516 HIGH
Race Condition (CWE-362)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-g967-c7qh-8q49
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 16:37 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 16:30 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:26 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24900
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfrm: prevent policy_hthresh.work from racing with netns teardown

A XFRM_MSG_NEWSPDINFO request can queue the per-net work item policy_hthresh.work onto the system workqueue.

The queued callback, xfrm_hash_rebuild(), retrieves the enclosing struct net via container_of(). If the net namespace is torn down before that work runs, the associated struct net may already have been freed, and xfrm_hash_rebuild() may then dereference stale memory.

xfrm_policy_fini() already flushes policy_hash_work during teardown, but it does not synchronize policy_hthresh.work.

Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the queued work cannot outlive the net namespace teardown and access a freed struct net.

AnalysisAI

Use-after-free in Linux kernel XFRM subsystem allows local authenticated attackers to achieve arbitrary code execution with high privileges. The vulnerability arises when XFRM policy hash threshold work items (policy_hthresh.work) outlive network namespace teardown, dereferencing freed struct net memory in xfrm_hash_rebuild(). Vendor patches available across multiple stable kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0) confirm the issue affects kernels since commit 880a6fab8f6b. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite CVSS:3.1 score of 7.8; no CISA KEV listing or public POC identified at time of analysis.

Technical ContextAI

The vulnerability resides in the Linux kernel's XFRM (IP framework for transforming packets) subsystem, specifically in the policy hash threshold management code introduced in commit 880a6fab8f6ba5b5abe59ea68533202ddea1012c. When userspace sends a XFRM_MSG_NEWSPDINFO netlink message, the kernel queues policy_hthresh.work onto the system workqueue. The work callback xfrm_hash_rebuild() retrieves its parent struct net via container_of() pointer arithmetic. During network namespace teardown, xfrm_policy_fini() flushes policy_hash_work but fails to synchronize policy_hthresh.work, creating a time-of-check-time-of-use race condition. If the namespace completes teardown and frees the struct net before the queued work executes, xfrm_hash_rebuild() dereferences a dangling pointer to freed kernel memory. This is a classic use-after-free condition in kernel workqueue handling, exploitable when network namespaces are dynamically created and destroyed (common in containerized environments). The fix adds proper work synchronization during teardown to ensure queued callbacks cannot outlive their associated data structures.

RemediationAI

Update to patched Linux kernel versions: 6.12.80 or later for the 6.12.x series, 6.18.21 or later for 6.18.x, 6.19.11 or later for 6.19.x, or upgrade to kernel 7.0. Patches are available from https://git.kernel.org/stable/ with commit IDs 29fe3a61bcdce398ee3955101c39f89c01a8a77e (mainline), 4e2e77843fef473ef47e322d52436d8308582a96, 56ea2257b83ee29a543f158159e3d1abc1e3e4fe, and 8854e9367465d784046362698731c1111e3b39b8 for stable branches. If immediate patching is not feasible, consider compensating controls: (1) Restrict CAP_NET_ADMIN capability in user namespaces by setting kernel.unprivileged_userns_clone=0 via sysctl, which prevents unprivileged users from creating network namespaces entirely but breaks container runtimes requiring unprivileged operation; (2) Implement namespace lifecycle monitoring to reduce rapid creation/destruction cycles that increase race window, though this only reduces probability without eliminating risk; (3) Deploy kernel runtime integrity monitoring (IMA/EVM) to detect post-exploitation memory corruption, noting this provides detection not prevention. All workarounds significantly limit functionality compared to patching. Test patches in staging environments first as XFRM changes can affect IPsec VPN connectivity.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24900 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy