{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31429", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.089Z", "datePublished": "2026-04-20T09:43:03.194Z", "dateUpdated": "2026-04-20T09:43:03.194Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-20T09:43:03.194Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skb: fix cross-cache free of KFENCE-allocated skb head\n\nSKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2\nvalue (e.g. 704 on x86_64) to avoid collisions with generic kmalloc\nbucket sizes. This ensures that skb_kfree_head() can reliably use\nskb_end_offset to distinguish skb heads allocated from\nskb_small_head_cache vs. generic kmalloc caches.\n\nHowever, when KFENCE is enabled, kfence_ksize() returns the exact\nrequested allocation size instead of the slab bucket size. If a caller\n(e.g. bpf_test_init) allocates skb head data via kzalloc() and the\nrequested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then\nslab_build_skb() -> ksize() returns that exact value. After subtracting\nskb_shared_info overhead, skb_end_offset ends up matching\nSKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free\nthe object to skb_small_head_cache instead of back to the original\nkmalloc cache, resulting in a slab cross-cache free:\n\n kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected\n skbuff_small_head but got kmalloc-1k\n\nFix this by always calling kfree(head) in skb_kfree_head(). This keeps\nthe free path generic and avoids allocator-specific misclassification\nfor KFENCE objects."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/core/skbuff.c"], "versions": [{"version": "bf9f1baa279f0758dc2297080360c5a616843927", "lessThan": "60313768a8edc7094435975587c00c2d7b834083", "status": "affected", "versionType": "git"}, {"version": "bf9f1baa279f0758dc2297080360c5a616843927", "lessThan": "2d64618ea846d8d033477311f805ca487d6a6696", "status": "affected", "versionType": "git"}, {"version": "bf9f1baa279f0758dc2297080360c5a616843927", "lessThan": "474e00b935db250cac320d10c1d3cf4e44b46721", "status": "affected", "versionType": "git"}, {"version": "bf9f1baa279f0758dc2297080360c5a616843927", "lessThan": "0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/core/skbuff.c"], "versions": [{"version": "6.3", "status": "affected"}, {"version": "0", "lessThan": "6.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/60313768a8edc7094435975587c00c2d7b834083"}, {"url": "https://git.kernel.org/stable/c/2d64618ea846d8d033477311f805ca487d6a6696"}, {"url": "https://git.kernel.org/stable/c/474e00b935db250cac320d10c1d3cf4e44b46721"}, {"url": "https://git.kernel.org/stable/c/0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516"}], "title": "net: skb: fix cross-cache free of KFENCE-allocated skb head", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skb: fix cross-cache free of KFENCE-allocated skb head\n\nSKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2\nvalue (e.g. 704 on x86_64) to avoid collisions with generic kmalloc\nbucket sizes. This ensures that skb_kfree_head() can reliably use\nskb_end_offset to distinguish skb heads allocated from\nskb_small_head_cache vs. generic kmalloc caches.\n\nHowever, when KFENCE is enabled, kfence_ksize() returns the exact\nrequested allocation size instead of the slab bucket size. If a caller\n(e.g. bpf_test_init) allocates skb head data via kzalloc() and the\nrequested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then\nslab_build_skb() -> ksize() returns that exact value. After subtracting\nskb_shared_info overhead, skb_end_offset ends up matching\nSKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free\nthe object to skb_small_head_cache instead of back to the original\nkmalloc cache, resulting in a slab cross-cache free:\n\n kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected\n skbuff_small_head but got kmalloc-1k\n\nFix this by always calling kfree(head) in skb_kfree_head(). This keeps\nthe free path generic and avoids allocator-specific misclassification\nfor KFENCE objects."}], "id": "CVE-2026-31429", "lastModified": "2026-04-20T10:16:16.737", "metrics": {}, "published": "2026-04-20T10:16:16.737", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2d64618ea846d8d033477311f805ca487d6a6696"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/474e00b935db250cac320d10c1d3cf4e44b46721"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/60313768a8edc7094435975587c00c2d7b834083"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: net: skb: fix cross-cache free of KFENCE-allocated skb head", "id": "2459692", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459692"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-763", "details": ["A flaw was found in the Linux kernel. When the Kernel Electric Fence (KFENCE), a memory safety error detector, is enabled, a memory corruption vulnerability can occur. This happens because the `skb_kfree_head()` function incorrectly frees network buffer (skb) head data to the wrong memory cache. This misallocation can lead to system instability or denial of service."], "name": "CVE-2026-31429", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31429\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31429\nhttps://lore.kernel.org/linux-cve-announce/2026042006-CVE-2026-31429-a0e1@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bf9f1baa279f0758dc2297080360c5a616843927,60313768a8edc7094435975587c00c2d7b834083)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bf9f1baa279f0758dc2297080360c5a616843927,2d64618ea846d8d033477311f805ca487d6a6696)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bf9f1baa279f0758dc2297080360c5a616843927,474e00b935db250cac320d10c1d3cf4e44b46721)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bf9f1baa279f0758dc2297080360c5a616843927,0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.3)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.82,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.23,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.13,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T08:06:55.462331+00:00", "value": {"mitigation_remediation": ["Apply the upstream kernel patch that changes skb_kfree_head to always call kfree(), ensuring the free path is generic and avoids allocator\u2011specific misclassification.", "Disable KFENCE in the kernel configuration (CONFIG_KFENCE=n) to eliminate the cross\u2011cache free issue introduced by KFENCE allocations.", "Review and restrict any user\u2011space components that create skb heads, such as custom BPF programs or modules, until a patch or KFENCE disabling is in place.", "Verify correct lock usage around skb allocation and deallocation to address CWE\u2011763, ensuring proper synchronization."], "summary": {"action": "Patch promptly", "impact": "Kernel memory corruption via improper slab cache free"}, "threat_synthesis": {"affected_systems": "This vulnerability applies to any Linux kernel release containing the unchanged skb allocation code before the upstream patch is applied. All distributions that ship the code without changes are impacted. No specific distribution version information is provided, so the affected range is all kernels prior to the committed hotfix.", "description_and_impact": "The Linux kernel contains a flaw in the network buffer (skb) free logic. The flaw corresponds to CWE-763. When Kernel-Fences are enabled, the allocation routine returns the requested size instead of the slab bucket size, which causes skb_kfree_head() to incorrectly classify the object\u2019s slab cache during deallocation. This cross-cache free can corrupt kernel memory or trigger a kernel crash, potentially affecting system reliability and security.", "risk_and_exploitability": "The CVSS score of 6.6 indicates a moderate severity vulnerability, while the EPSS score of <1% suggests a low probability of exploitation in the near term. The CVE does not describe a concrete exploitation path; it only notes that an attacker would need to allocate skb heads with the exact size that triggers the misclassifying free. The vulnerability is not listed in CISA\u2019s KEV catalog, and the available evidence points to a moderate risk should a privileged or local attacker be able to trigger the allocation path."}}}}, "created": "2026-04-20T11:30:05.324964+00:00", "updated": "2026-04-22T08:15:05.752875+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}