CVE-2026-31406

HIGH

xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() After cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work. The following is a simple race scenario: cpu0 cpu1 cleanup_net() [Round 1] ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fini() cancel_delayed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_state_flush() xfrm_state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_state_updated(x) schedule_delayed_work(nat_keepalive_work); rcu_barrier(); net_complete_free(); net_passive_dec(net); llist_add(&net->defer_free_list, &defer_free_list); cleanup_net() [Round 2] rcu_barrier(); net_complete_free() kmem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().

Scores

CVSS v3 7.8
EPSS 0.0016
EPSS Percentile 5.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (16)
linux/Kernel 6.11.0 - 6.12.80linux
linux/Kernel 6.13.0 - 6.18.21linux
linux/Kernel 6.19.0 - 6.19.11linux
Linux/Linux < 6.11
Linux/Linux 6.11
Linux/Linux 6.12.80 - 6.12.*
Linux/Linux 6.18.21 - 6.18.*
Linux/Linux 6.19.11 - 6.19.*
Linux/Linux 7.0
Linux/Linux 7.0-rc6
... and 6 more
Published Apr 06, 2026
Tracked Since Apr 06, 2026