High severity7.8NVD Advisory· Published Apr 25, 2026· Updated May 6, 2026

CVE-2026-31680

Description

In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: flowlabel: defer exclusive option free until RCU teardown

ip6fl_seq_show() walks the global flowlabel hash under the seq-file RCU read-side lock and prints fl->opt->opt_nflen when an option block is present.

Exclusive flowlabels currently free fl->opt as soon as fl->users drops to zero in fl_release(). However, the surrounding struct ip6_flowlabel remains visible in the global hash table until later garbage collection removes it and fl_free_rcu() finally tears it down.

A concurrent /proc/net/ip6_flowlabel reader can therefore race that early kfree() and dereference freed option state, triggering a crash in ip6fl_seq_show().

Fix this by keeping fl->opt alive until fl_free_rcu(). That matches the lifetime already required for the enclosing flowlabel while readers can still reach it under RCU.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in Linux kernel's IPv6 flowlabel implementation allows local attackers to crash the system via a race condition when reading /proc/net/ip6_flowlabel.

Vulnerability

CVE-2026-31680 is a use-after-free vulnerability in the Linux kernel's IPv6 flowlabel subsystem. The root cause is that exclusive flowlabels free their associated option block (fl->opt) as soon as the reference count (fl->users) drops to zero in fl_release(). However, the enclosing struct ip6_flowlabel remains visible in the global hash table until later garbage collection and is only torn down later by fl_free_rcu() under RCU. This creates a window where a concurrent reader of /proc/net/ip6_flowlabel can access freed option state, leading to a crash [1].

Exploitation

The attack surface is local; an unprivileged user can trigger the race by opening /proc/net/ip6_flowlabel while the kernel is processing flowlabel release operations. No special privileges are required beyond the ability to read the proc file and to create IPv6 flowlabels (which may be available to unprivileged users depending on system configuration). The race occurs because ip6fl_seq_show() walks the global flowlabel hash under the seq-file RCU read-side lock and dereferences fl->opt->opt_nflen without ensuring the option block is still alive [1].

Impact

A successful exploit results in a kernel crash (denial of service). The vulnerability does not appear to allow privilege escalation or arbitrary code execution based on the available information, but a crash can disrupt system availability. The CVSS v3 score of 7.8 (High) reflects the potential for significant impact on system operation [1].

Mitigation

The fix defers freeing of fl->opt until fl_free_rcu(), ensuring the option block remains valid for any RCU-protected reader. The patch has been applied to the stable kernel tree and is available in commits [1], [2], [3], and [4] for various stable branches. Users should update their kernels to include the fix. No workaround is documented; the only mitigation is to apply the kernel patch.

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Linux/Kernelinferred8 versions
(expand)+ 7 more
- (no CPE)
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.9,<5.10.253
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Linux/Linux Kernel Rtllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000