CVE-2026-31406
Description
In the Linux kernel, the following vulnerability has been resolved:
xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()
After cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work.
The following is a simple race scenario:
cpu0 cpu1
cleanup_net() [Round 1] ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fini() cancel_delayed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_state_flush() xfrm_state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_state_updated(x) schedule_delayed_work(nat_keepalive_work); rcu_barrier(); net_complete_free(); net_passive_dec(net); llist_add(&net->defer_free_list, &defer_free_list);
cleanup_net() [Round 2] rcu_barrier(); net_complete_free() kmem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net
To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
16cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.11,<6.12.80
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- (no CPE)
- osv-coords8 versionspkg:rpm/suse/kernel-livepatch-SLE16_Update_10&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-livepatch-SLE16_Update_10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-livepatch-SLE16_Update_11&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-livepatch-SLE16_Update_11&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-livepatch-SLE16_Update_8&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-livepatch-SLE16_Update_8&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-livepatch-SLE16_Update_9&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-livepatch-SLE16_Update_9&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 2-160000.1.1+ 7 more
- (no CPE)range: < 2-160000.1.1
- (no CPE)range: < 2-160000.1.1
- (no CPE)range: < 2-160000.1.1
- (no CPE)range: < 2-160000.1.1
- (no CPE)range: < 3-160000.1.1
- (no CPE)range: < 3-160000.1.1
- (no CPE)range: < 2-160000.1.1
- (no CPE)range: < 2-160000.1.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.