{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31504", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.105Z", "datePublished": "2026-04-22T13:54:23.862Z", "dateUpdated": "2026-04-22T13:54:23.862Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:54:23.862Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group's `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po->num` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f->arr[]` and increments `f->num_members`,\nbut does NOT increment `f->sk_ref`.\n\nThe fix sets `po->num` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/packet/af_packet.c"], "versions": [{"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "ee642b1962caa9aa231c01abbd58bc453ae6b66e", "status": "affected", "versionType": "git"}, {"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "42cfd7898eeed290c9fb73f732af1f7d6b0a703e", "status": "affected", "versionType": "git"}, {"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "1b4c03f8892d955385c202009af7485364731bb9", "status": "affected", "versionType": "git"}, {"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "654386baef228c2992dbf604c819e4c7c35fc71b", "status": "affected", "versionType": "git"}, {"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "75fe6db23705a1d55160081f7b37db9665b1880b", "status": "affected", "versionType": "git"}, {"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6", "status": "affected", "versionType": "git"}, {"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "ceccbfc6de720ad633519a226715989cfb065af1", "status": "affected", "versionType": "git"}, {"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518", "lessThan": "42156f93d123436f2a27c468f18c966b7e5db796", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/packet/af_packet.c"], "versions": [{"version": "3.1", "status": "affected"}, {"version": "0", "lessThan": "3.1", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ee642b1962caa9aa231c01abbd58bc453ae6b66e"}, {"url": "https://git.kernel.org/stable/c/42cfd7898eeed290c9fb73f732af1f7d6b0a703e"}, {"url": "https://git.kernel.org/stable/c/1b4c03f8892d955385c202009af7485364731bb9"}, {"url": "https://git.kernel.org/stable/c/654386baef228c2992dbf604c819e4c7c35fc71b"}, {"url": "https://git.kernel.org/stable/c/75fe6db23705a1d55160081f7b37db9665b1880b"}, {"url": "https://git.kernel.org/stable/c/d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6"}, {"url": "https://git.kernel.org/stable/c/ceccbfc6de720ad633519a226715989cfb065af1"}, {"url": "https://git.kernel.org/stable/c/42156f93d123436f2a27c468f18c966b7e5db796"}], "title": "net: fix fanout UAF in packet_release() via NETDEV_UP race", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group's `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po->num` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f->arr[]` and increments `f->num_members`,\nbut does NOT increment `f->sk_ref`.\n\nThe fix sets `po->num` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617."}], "id": "CVE-2026-31504", "lastModified": "2026-04-22T14:16:49.040", "metrics": {}, "published": "2026-04-22T14:16:49.040", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1b4c03f8892d955385c202009af7485364731bb9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/42156f93d123436f2a27c468f18c966b7e5db796"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/42cfd7898eeed290c9fb73f732af1f7d6b0a703e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/654386baef228c2992dbf604c819e4c7c35fc71b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/75fe6db23705a1d55160081f7b37db9665b1880b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ceccbfc6de720ad633519a226715989cfb065af1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ee642b1962caa9aa231c01abbd58bc453ae6b66e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}