CVE-2026-31504
Description
In the Linux kernel, the following vulnerability has been resolved:
net: fix fanout UAF in packet_release() via NETDEV_UP race
packet_release() has a race window where NETDEV_UP can re-register a socket into a fanout group's arr[] array. The re-registration is not cleaned up by fanout_release(), leaving a dangling pointer in the fanout array. packet_release() does NOT zero po->num in its bind_lock section. After releasing bind_lock, po->num is still non-zero and po->ifindex still matches the bound device. A concurrent packet_notifier(NETDEV_UP) that already found the socket in sklist can re-register the hook. For fanout sockets, this re-registration calls __fanout_link(sk, po) which adds the socket back into f->arr[] and increments f->num_members, but does NOT increment f->sk_ref.
The fix sets po->num to zero in packet_release while bind_lock is held to prevent NETDEV_UP from linking, preventing the race window.
This bug was found following an additional audit with Claude Code based on CVE-2025-38617.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
29cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.1.1,<5.10.253
- cpe:2.3:o:linux:linux_kernel:3.1:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- (no CPE)
- osv-coords19 versionspkg:rpm/suse/kernel-livepatch-SLE15-SP4_Update_40&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP4pkg:rpm/suse/kernel-livepatch-SLE15-SP4_Update_46&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP4pkg:rpm/suse/kernel-livepatch-SLE15-SP4_Update_47&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP4pkg:rpm/suse/kernel-livepatch-SLE15-SP4_Update_50&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP4pkg:rpm/suse/kernel-livepatch-SLE15-SP5_Update_26&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP5pkg:rpm/suse/kernel-livepatch-SLE15-SP5_Update_30&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP5pkg:rpm/suse/kernel-livepatch-SLE15-SP6_Update_12&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP6pkg:rpm/suse/kernel-livepatch-SLE15-SP6_Update_18&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP6pkg:rpm/suse/kernel-livepatch-SLE15-SP6_Update_22&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP6pkg:rpm/suse/kernel-livepatch-SLE15-SP6_Update_23&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP6pkg:rpm/suse/kernel-livepatch-SLE15-SP7-RT_Update_11&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP7pkg:rpm/suse/kernel-livepatch-SLE15-SP7-RT_Update_1&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP7pkg:rpm/suse/kernel-livepatch-SLE15-SP7-RT_Update_8&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP7pkg:rpm/suse/kernel-livepatch-SLE15-SP7_Update_11&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP7pkg:rpm/suse/kernel-livepatch-SLE15-SP7_Update_14&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP7pkg:rpm/suse/kgraft-patch-SLE12-SP5_Update_69&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2012%20SP5pkg:rpm/suse/kgraft-patch-SLE12-SP5_Update_70&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2012%20SP5pkg:rpm/suse/kgraft-patch-SLE12-SP5_Update_71&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2012%20SP5pkg:rpm/suse/kgraft-patch-SLE12-SP5_Update_79&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2012%20SP5
< 21-150400.2.1+ 18 more
- (no CPE)range: < 21-150400.2.1
- (no CPE)range: < 9-150400.2.1
- (no CPE)range: < 9-150400.2.1
- (no CPE)range: < 5-150400.2.1
- (no CPE)range: < 21-150500.2.1
- (no CPE)range: < 14-150500.2.1
- (no CPE)range: < 19-150600.2.1
- (no CPE)range: < 8-150600.2.1
- (no CPE)range: < 5-150600.2.1
- (no CPE)range: < 4-150600.2.1
- (no CPE)range: < 5-150700.2.1
- (no CPE)range: < 18-150700.2.1
- (no CPE)range: < 8-150700.2.1
- (no CPE)range: < 5-150700.2.1
- (no CPE)range: < 2-150700.2.1
- (no CPE)range: < 17-2.1
- (no CPE)range: < 17-2.1
- (no CPE)range: < 14-2.1
- (no CPE)range: < 5-2.1
Patches
Vulnerability mechanics
References
8- git.kernel.org/stable/c/1b4c03f8892d955385c202009af7485364731bb9nvdPatch
- git.kernel.org/stable/c/42156f93d123436f2a27c468f18c966b7e5db796nvdPatch
- git.kernel.org/stable/c/42cfd7898eeed290c9fb73f732af1f7d6b0a703envdPatch
- git.kernel.org/stable/c/654386baef228c2992dbf604c819e4c7c35fc71bnvdPatch
- git.kernel.org/stable/c/75fe6db23705a1d55160081f7b37db9665b1880bnvdPatch
- git.kernel.org/stable/c/ceccbfc6de720ad633519a226715989cfb065af1nvdPatch
- git.kernel.org/stable/c/d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6nvdPatch
- git.kernel.org/stable/c/ee642b1962caa9aa231c01abbd58bc453ae6b66envdPatch
News mentions
0No linked articles in our index yet.