VYPR
← All advisories
High severity7.8NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026

CVE-2026-31663

CVE-2026-31663

Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: hold dev ref until after transport_finish NF_HOOK

After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside NF_HOOK and its okfn, which can race with device teardown.

Remove the dev_put from the async resumption entry and instead drop the reference after the NF_HOOK call in transport_finish, using a saved device pointer since NF_HOOK may consume the skb. This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip the okfn.

For non-transport exits (decaps, gro, drop) and secondary async return points, release the reference inline when async is set.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, a use-after-free race in xfrm_input_resume() drops device reference before NF_HOOK, potentially allowing local privilege escalation.

Vulnerability

The Linux kernel's IPsec (xfrm) subsystem contains a use-after-free race condition in the packet input path. When async cryptographic operations complete, xfrm_input_resume() calls dev_put() to release the device reference immediately upon re-entry. However, the packet still traverses transport_finish and the NF_HOOK netfilter hook, which can use the now-dangling skb->dev pointer. If the device is torn down concurrently, this leads to a use-after-free [1][2][3].

Exploitation

Exploitation requires an attacker to trigger the async crypto path, typically by sending IPsec-encrypted packets that cause the kernel to offload decryption to asynchronous hardware or software. The attack surface is local: an unprivileged user on the system could craft malicious packets to hit the race condition. No authentication is needed beyond the ability to receive network traffic on an IPsec-secured interface.

Impact

A successful exploit could allow an attacker to corrupt kernel memory, potentially leading to privilege escalation to root or a denial of service (system crash). The use-after-free occurs in a context where the attacker may control parts of the freed object, increasing the risk of code execution.

Mitigation

The issue is fixed in Linux kernel stable commits [1], [2], and [3]. Users should update their kernels to include these patches. No workaround is available; systems using IPsec with async crypto are vulnerable until patched.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • Linux/Kernel9 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.2.100,<3.3
    • cpe:2.3:o:linux:linux_kernel:4.15:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.