CVE-2026-31406
Description
In the Linux kernel, the following vulnerability has been resolved:
xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()
After cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work.
The following is a simple race scenario:
cpu0 cpu1
cleanup_net() [Round 1] ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fini() cancel_delayed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_state_flush() xfrm_state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_state_updated(x) schedule_delayed_work(nat_keepalive_work); rcu_barrier(); net_complete_free(); net_passive_dec(net); llist_add(&net->defer_free_list, &defer_free_list);
cleanup_net() [Round 2] rcu_barrier(); net_complete_free() kmem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net
To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free race condition in the Linux kernel's xfrm subsystem can occur when delayed work is re-scheduled after cancellation during network namespace teardown.
Vulnerability
Description
CVE-2026-31406 is a use-after-free vulnerability in the Linux kernel's xfrm (IPsec) subsystem. The root cause is a race condition during network namespace cleanup. In xfrm_nat_keepalive_net_fini(), cancel_delayed_work_sync() is called to stop the nat_keepalive_work delayed work. However, subsequent calls to xfrm_state_fini() -> xfrm_state_flush() -> __xfrm_state_delete() can trigger xfrm_nat_keepalive_state_updated(), which re-schedules the same work via schedule_delayed_work(). This re-scheduling occurs after the work has been cancelled but before the network namespace memory is freed, leading to a use-after-free when the work eventually executes on a freed net structure [1].
Exploitation
Exploitation requires an attacker to trigger the race condition during network namespace teardown. The attack surface is local, as the vulnerability resides in kernel code that is exercised when a network namespace is destroyed. No special privileges are needed beyond the ability to create and destroy network namespaces, which is available to unprivileged users in many configurations. The race window is narrow but can be reliably hit with careful timing, as demonstrated by the kernel developers in the fix commit [1].
Impact
If successfully exploited, this use-after-free can lead to a kernel crash (denial of service) or potentially allow an attacker to escalate privileges by corrupting kernel memory. The CVSS v3 score of 7.8 (High) reflects the high impact on confidentiality, integrity, and availability, given that the attack vector is local and requires low privileges [1].
Mitigation
The fix replaces cancel_delayed_work_sync() with disable_delayed_work_sync() in xfrm_nat_keepalive_net_fini(). The disable_delayed_work_sync() function prevents the work from being re-scheduled after cancellation, closing the race window. The patch has been applied to the Linux kernel stable branches as of April 2026 [1][2][3][4]. Users should update their kernels to include the fix.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.