VYPR
High severity7.8NVD Advisory· Published Apr 6, 2026· Updated May 20, 2026

CVE-2026-31406

CVE-2026-31406

Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()

After cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work.

The following is a simple race scenario:

cpu0 cpu1

cleanup_net() [Round 1] ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fini() cancel_delayed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_state_flush() xfrm_state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_state_updated(x) schedule_delayed_work(nat_keepalive_work); rcu_barrier(); net_complete_free(); net_passive_dec(net); llist_add(&net->defer_free_list, &defer_free_list);

cleanup_net() [Round 2] rcu_barrier(); net_complete_free() kmem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net

To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

16

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.