{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31406", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.086Z", "datePublished": "2026-04-06T07:38:18.840Z", "dateUpdated": "2026-04-06T07:38:18.840Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-06T07:38:18.840Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()\n\nAfter cancel_delayed_work_sync() is called from\nxfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining\nstates via __xfrm_state_delete(), which calls\nxfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work.\n\nThe following is a simple race scenario:\n\n cpu0 cpu1\n\ncleanup_net() [Round 1]\n ops_undo_list()\n xfrm_net_exit()\n xfrm_nat_keepalive_net_fini()\n cancel_delayed_work_sync(nat_keepalive_work);\n xfrm_state_fini()\n xfrm_state_flush()\n xfrm_state_delete(x)\n __xfrm_state_delete(x)\n xfrm_nat_keepalive_state_updated(x)\n schedule_delayed_work(nat_keepalive_work);\n rcu_barrier();\n net_complete_free();\n net_passive_dec(net);\n llist_add(&net->defer_free_list, &defer_free_list);\n\ncleanup_net() [Round 2]\n rcu_barrier();\n net_complete_free()\n kmem_cache_free(net_cachep, net);\n nat_keepalive_work()\n // on freed net\n\nTo prevent this, cancel_delayed_work_sync() is replaced with\ndisable_delayed_work_sync()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xfrm/xfrm_nat_keepalive.c"], "versions": [{"version": "f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae", "lessThan": "32d0f44c2f14d60fe8e920e69a28c11051543ec1", "status": "affected", "versionType": "git"}, {"version": "f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae", "lessThan": "2255ed6adbc3100d2c4a83abd9d0396d04b87792", "status": "affected", "versionType": "git"}, {"version": "f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae", "lessThan": "21f2fc49ca6faa393c31da33b8a4e6c41fc84c13", "status": "affected", "versionType": "git"}, {"version": "f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae", "lessThan": "daf8e3b253aa760ff9e96c7768a464bc1d6b3c90", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xfrm/xfrm_nat_keepalive.c"], "versions": [{"version": "6.11", "status": "affected"}, {"version": "0", "lessThan": "6.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "7.0-rc6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/32d0f44c2f14d60fe8e920e69a28c11051543ec1"}, {"url": "https://git.kernel.org/stable/c/2255ed6adbc3100d2c4a83abd9d0396d04b87792"}, {"url": "https://git.kernel.org/stable/c/21f2fc49ca6faa393c31da33b8a4e6c41fc84c13"}, {"url": "https://git.kernel.org/stable/c/daf8e3b253aa760ff9e96c7768a464bc1d6b3c90"}], "title": "xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()\n\nAfter cancel_delayed_work_sync() is called from\nxfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining\nstates via __xfrm_state_delete(), which calls\nxfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work.\n\nThe following is a simple race scenario:\n\n cpu0 cpu1\n\ncleanup_net() [Round 1]\n ops_undo_list()\n xfrm_net_exit()\n xfrm_nat_keepalive_net_fini()\n cancel_delayed_work_sync(nat_keepalive_work);\n xfrm_state_fini()\n xfrm_state_flush()\n xfrm_state_delete(x)\n __xfrm_state_delete(x)\n xfrm_nat_keepalive_state_updated(x)\n schedule_delayed_work(nat_keepalive_work);\n rcu_barrier();\n net_complete_free();\n net_passive_dec(net);\n llist_add(&net->defer_free_list, &defer_free_list);\n\ncleanup_net() [Round 2]\n rcu_barrier();\n net_complete_free()\n kmem_cache_free(net_cachep, net);\n nat_keepalive_work()\n // on freed net\n\nTo prevent this, cancel_delayed_work_sync() is replaced with\ndisable_delayed_work_sync()."}], "id": "CVE-2026-31406", "lastModified": "2026-04-07T13:20:35.010", "metrics": {}, "published": "2026-04-06T08:16:38.457", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/21f2fc49ca6faa393c31da33b8a4e6c41fc84c13"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2255ed6adbc3100d2c4a83abd9d0396d04b87792"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/32d0f44c2f14d60fe8e920e69a28c11051543ec1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/daf8e3b253aa760ff9e96c7768a464bc1d6b3c90"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()", "id": "2455332", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455332"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel, specifically within its xfrm (IP eXtensible FRamework) component. This vulnerability arises from a race condition during network cleanup, where a scheduled task (nat_keepalive_work) can be re-activated and attempt to operate on memory that has already been freed. This 'use-after-free' condition could allow a local attacker to cause the system to crash, leading to a denial of service, or potentially execute unauthorized code."], "name": "CVE-2026-31406", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31406\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31406\nhttps://lore.kernel.org/linux-cve-announce/2026040628-CVE-2026-31406-e2f3@gregkh/T"], "statement": "After `cancel_delayed_work_sync()` in `xfrm_nat_keepalive_net_fini()`, state deletion could reschedule `nat_keepalive_work` on a net being torn down. Replacing with `disable_delayed_work_sync()` prevents new schedules. Trigger is network namespace teardown with xfrm NAT keepalive in use.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae,32d0f44c2f14d60fe8e920e69a28c11051543ec1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae,2255ed6adbc3100d2c4a83abd9d0396d04b87792)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae,21f2fc49ca6faa393c31da33b8a4e6c41fc84c13)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae,daf8e3b253aa760ff9e96c7768a464bc1d6b3c90)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.11"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.11)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-07T02:52:29.674866+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the commit 21f2fc49ca6faa393c31da33b8a4e6c41fc84c13 or later."], "summary": {"action": "Apply patch", "impact": "Use\u2011after\u2011free and potential kernel memory corruption"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the xfrm NAT keep\u2011alive code and have not yet incorporated the commit that replaces cancel_delayed_work_sync with disable_delayed_work_sync are affected. The advisory does not specify exact version numbers, so any kernel prior to the patch is potentially vulnerable. The issue applies to all builds of the Linux kernel, irrespective of distribution.", "description_and_impact": "A race condition occurs during cleanup of a network namespace in the Linux kernel\u2019s xfrm NAT keep\u2011alive subsystem. When the cleanup routine cancels a scheduled work item, subsequent state\u2011flush callbacks reschedule the same work. If cleanup finishes before the rescheduled work runs, the work operates on a net namespace that has already been freed, leading to a use\u2011after\u2011free that can corrupt kernel memory.", "risk_and_exploitability": "The CVSS score of 5.5 indicates medium severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local and requires privileged access to the kernel, such as root or the ability to create and tear down network namespaces, under which an attacker can trigger the race and achieve use\u2011after\u2011free."}}}}, "created": "2026-04-06T20:14:56.247542+00:00", "updated": "2026-04-07T06:55:05.883217+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}