7.8

CVE-2026-31663

xfrm: hold dev ref until after transport_finish NF_HOOK

In the Linux kernel, the following vulnerability has been resolved:

xfrm: hold dev ref until after transport_finish NF_HOOK

After async crypto completes, xfrm_input_resume() calls dev_put()
immediately on re-entry before the skb reaches transport_finish.
The skb->dev pointer is then used inside NF_HOOK and its okfn,
which can race with device teardown.

Remove the dev_put from the async resumption entry and instead
drop the reference after the NF_HOOK call in transport_finish,
using a saved device pointer since NF_HOOK may consume the skb.
This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip
the okfn.

For non-transport exits (decaps, gro, drop) and secondary
async return points, release the reference inline when
async is set.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 3.2.100 < 3.3
LinuxLinux Kernel Version >= 3.16.55 < 3.17
LinuxLinux Kernel Version >= 4.14.24 < 4.15
LinuxLinux Kernel Version >= 4.15.1 < 6.18.23
LinuxLinux Kernel Version >= 6.19 < 6.19.13
LinuxLinux Kernel Version4.15 Update-
LinuxLinux Kernel Version7.0 Updaterc1
LinuxLinux Kernel Version7.0 Updaterc2
LinuxLinux Kernel Version7.0 Updaterc3
LinuxLinux Kernel Version7.0 Updaterc4
LinuxLinux Kernel Version7.0 Updaterc5
LinuxLinux Kernel Version7.0 Updaterc6
LinuxLinux Kernel Version7.0 Updaterc7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.21% 0.109
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7 1 5.9
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-826 Premature Release of Resource During Expected Lifetime

The product releases a resource that is still intended to be used by itself or another actor.

https://git.kernel.org/stable/c/0f451b43c88bf2b9c038b414be580efee42e031b
Patch
https://git.kernel.org/stable/c/5002beda5cac69d522dc54da0d5d463ed9c963d2
Patch
https://git.kernel.org/stable/c/1c428b03840094410c5fb6a5db30640486bbbfcb
Patch
https://git.kernel.org/stable/c/4236c30b437b80f673b9e08c8fae38b8d471ac9e
https://access.redhat.com/security/cve/CVE-2026-31663
https://bugzilla.redhat.com/show_bug.cgi?id=2461462
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31663.json