CVE-2026-31504
Published: 22 April 2026
Description
In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not…
more
cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the UAF race condition by requiring timely application of the kernel patch that sets po->num to zero while holding bind_lock in packet_release(), preventing re-registration via NETDEV_UP.
Provides memory safeguards like ASLR and non-executable memory that hinder exploitation of the dangling pointer in the fanout array for code execution or corruption even if unpatched.
Enables vulnerability scanning to identify systems affected by this specific kernel networking UAF, triggering remediation to close the race window.
Security SummaryAI
CVE-2026-31504 is a use-after-free (UAF) vulnerability in the Linux kernel's networking subsystem, specifically within the packet_release() function. It arises from a race condition involving the NETDEV_UP notifier, where a socket can be re-registered into a fanout group's arr[] array after release. This leaves a dangling pointer because fanout_release() does not clean up the re-registration, as po->num is not zeroed under the bind_lock, allowing concurrent NETDEV_UP events to invoke __fanout_link() and add the socket back without properly incrementing sk_ref.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation involves triggering the race during socket release on a bound device, leading to the UAF in the fanout array, which could enable arbitrary code execution, data corruption, or denial of service.
Kernel stable patches available at the referenced git commits mitigate the issue by setting po->num to zero while holding the bind_lock in packet_release(), closing the race window and preventing NETDEV_UP from re-linking the socket.
This vulnerability was discovered through an audit using Claude Code, building on analysis of CVE-2025-38617, with no public reports of real-world exploitation as of its publication on 2026-04-22.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Matched keywords: claude
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF race condition in packet_release() directly provides an exploitable primitive for arbitrary code execution from low privileges, mapping to T1068 Exploitation for Privilege Escalation (AV:L/PR:L).