7.8

CVE-2026-31504

net: fix fanout UAF in packet_release() via NETDEV_UP race

In the Linux kernel, the following vulnerability has been resolved:

net: fix fanout UAF in packet_release() via NETDEV_UP race

`packet_release()` has a race window where `NETDEV_UP` can re-register a
socket into a fanout group's `arr[]` array. The re-registration is not
cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout
array.
`packet_release()` does NOT zero `po->num` in its `bind_lock` section.
After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`
still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`
that already found the socket in `sklist` can re-register the hook.
For fanout sockets, this re-registration calls `__fanout_link(sk, po)`
which adds the socket back into `f->arr[]` and increments `f->num_members`,
but does NOT increment `f->sk_ref`.

The fix sets `po->num` to zero in `packet_release` while `bind_lock` is
held to prevent NETDEV_UP from linking, preventing the race window.

This bug was found following an additional audit with Claude Code based
on CVE-2025-38617.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 3.1.1 < 5.10.253
LinuxLinux Kernel Version >= 5.11 < 5.15.203
LinuxLinux Kernel Version >= 5.16 < 6.1.168
LinuxLinux Kernel Version >= 6.2 < 6.6.131
LinuxLinux Kernel Version >= 6.7 < 6.12.80
LinuxLinux Kernel Version >= 6.13 < 6.18.21
LinuxLinux Kernel Version >= 6.19 < 6.19.11
LinuxLinux Kernel Version3.1 Update-
LinuxLinux Kernel Version7.0 Updaterc1
LinuxLinux Kernel Version7.0 Updaterc2
LinuxLinux Kernel Version7.0 Updaterc3
LinuxLinux Kernel Version7.0 Updaterc4
LinuxLinux Kernel Version7.0 Updaterc5
LinuxLinux Kernel Version7.0 Updaterc6
LinuxLinux Kernel Version7.0 Updaterc7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.029
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/1b4c03f8892d955385c202009af7485364731bb9
Patch
https://git.kernel.org/stable/c/42156f93d123436f2a27c468f18c966b7e5db796
Patch
https://git.kernel.org/stable/c/42cfd7898eeed290c9fb73f732af1f7d6b0a703e
Patch
https://git.kernel.org/stable/c/654386baef228c2992dbf604c819e4c7c35fc71b
Patch
https://git.kernel.org/stable/c/75fe6db23705a1d55160081f7b37db9665b1880b
Patch
https://git.kernel.org/stable/c/ceccbfc6de720ad633519a226715989cfb065af1
Patch
https://git.kernel.org/stable/c/d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6
Patch
https://git.kernel.org/stable/c/ee642b1962caa9aa231c01abbd58bc453ae6b66e
Patch