CVE-2026-31504

EUVD-2026-24881
In the Linux kernel, the following vulnerability has been resolved:

net: fix fanout UAF in packet_release() via NETDEV_UP race

`packet_release()` has a race window where `NETDEV_UP` can re-register a
socket into a fanout group's `arr[]` array. The re-registration is not
cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout
array.
`packet_release()` does NOT zero `po->num` in its `bind_lock` section.
After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`
still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`
that already found the socket in `sklist` can re-register the hook.
For fanout sockets, this re-registration calls `__fanout_link(sk, po)`
which adds the socket back into `f->arr[]` and increments `f->num_members`,
but does NOT increment `f->sk_ref`.

The fix sets `po->num` to zero in `packet_release` while `bind_lock` is
held to prevent NETDEV_UP from linking, preventing the race window.

This bug was found following an additional audit with Claude Code based
on CVE-2025-38617.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
3.1.1 ≤
𝑥
< 5.10.253
linuxlinux_kernel
5.11 ≤
𝑥
< 5.15.203
linuxlinux_kernel
5.16 ≤
𝑥
< 6.1.168
linuxlinux_kernel
6.2 ≤
𝑥
< 6.6.131
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.80
linuxlinux_kernel
6.13 ≤
𝑥
< 6.18.21
linuxlinux_kernel
6.19 ≤
𝑥
< 6.19.11
linuxlinux_kernel
3.1
linuxlinux_kernel
7.0:rc1
linuxlinux_kernel
7.0:rc2
linuxlinux_kernel
7.0:rc3
linuxlinux_kernel
7.0:rc4
linuxlinux_kernel
7.0:rc5
linuxlinux_kernel
7.0:rc6
linuxlinux_kernel
7.0:rc7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.174-1
fixed
bullseye
vulnerable
bullseye (security)
5.10.257-1
fixed
forky
7.0.10-1
fixed
sid
7.0.10-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.90-2
fixed
linux-6.1
bullseye (security)
6.1.174-1~deb11u1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cluster-md-kmp-default
suse enterprise server 12 SP5
4.12.14-122.310.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
dlm-kmp-default
suse enterprise server 12 SP5
4.12.14-122.310.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
gfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.310.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-64kb
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-default
suse enterprise server 12 SP5
4.12.14-122.310.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-default-base
suse enterprise server 12 SP5
4.12.14-122.310.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.219.1.150400.24.110.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1.150600.12.52.1
fixed
kernel-default-man
suse enterprise server 12 SP5
4.12.14-122.310.1
fixed
kernel-docs
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-macros
suse enterprise server 12 SP5
4.12.14-122.310.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-obs-build
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-source
suse enterprise server 12 SP5
4.12.14-122.310.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-syms
suse enterprise server 12 SP5
4.12.14-122.310.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-zfcpdump
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
ocfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.310.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
reiserfs-kmp-default
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/1b4c03f8892d955385c202009af7485364731bb9
https://git.kernel.org/stable/c/42156f93d123436f2a27c468f18c966b7e5db796
https://git.kernel.org/stable/c/42cfd7898eeed290c9fb73f732af1f7d6b0a703e
https://git.kernel.org/stable/c/654386baef228c2992dbf604c819e4c7c35fc71b
https://git.kernel.org/stable/c/75fe6db23705a1d55160081f7b37db9665b1880b
https://git.kernel.org/stable/c/ceccbfc6de720ad633519a226715989cfb065af1
https://git.kernel.org/stable/c/d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6
https://git.kernel.org/stable/c/ee642b1962caa9aa231c01abbd58bc453ae6b66e