{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31469","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.097Z","datePublished":"2026-04-22T13:53:58.266Z","dateUpdated":"2026-05-11T22:09:20.343Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:09:20.343Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false\n\nA UAF issue occurs when the virtio_net driver is configured with napi_tx=N\nand the device's IFF_XMIT_DST_RELEASE flag is cleared\n(e.g., during the configuration of tc route filter rules).\n\nWhen IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack\nexpects the driver to hold the reference to skb->dst until the packet\nis fully transmitted and freed. In virtio_net with napi_tx=N,\nskbs may remain in the virtio transmit ring for an extended period.\n\nIf the network namespace is destroyed while these skbs are still pending,\nthe corresponding dst_ops structure has freed. When a subsequent packet\nis transmitted, free_old_xmit() is triggered to clean up old skbs.\nIt then calls dst_release() on the skb associated with the stale dst_entry.\nSince the dst_ops (referenced by the dst_entry) has already been freed,\na UAF kernel paging request occurs.\n\nfix it by adds skb_dst_drop(skb) in start_xmit to explicitly release\nthe dst reference before the skb is queued in virtio_net.\n\nCall Trace:\n Unable to handle kernel paging request at virtual address ffff80007e150000\n CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT\n  ...\n  percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)\n  dst_release+0xe0/0x110  net/core/dst.c:177\n  skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177\n  sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255\n  dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469\n  napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527\n  __free_old_xmit+0x164/0x230  drivers/net/virtio_net.c:611 [virtio_net]\n  free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]\n  start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]\n  ...\n\nReproduction Steps:\nNETDEV=\"enp3s0\"\n\nconfig_qdisc_route_filter() {\n    tc qdisc del dev $NETDEV root\n    tc qdisc add dev $NETDEV root handle 1: prio\n    tc filter add dev $NETDEV parent 1:0 \\\n\tprotocol ip prio 100 route to 100 flowid 1:1\n    ip route add 192.168.1.100/32 dev $NETDEV realm 100\n}\n\ntest_ns() {\n    ip netns add testns\n    ip link set $NETDEV netns testns\n    ip netns exec testns ifconfig $NETDEV  10.0.32.46/24\n    ip netns exec testns ping -c 1 10.0.32.1\n    ip netns del testns\n}\n\nconfig_qdisc_route_filter\n\ntest_ns\nsleep 2\ntest_ns"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/virtio_net.c"],"versions":[{"version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","lessThan":"be0e63f3b97bbaf453c542e8a15ba2a536e2ac01","status":"affected","versionType":"git"},{"version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","lessThan":"c1ec36cb3768574b916f20d2d7415fd14fa1bf12","status":"affected","versionType":"git"},{"version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","lessThan":"8a4790850e710fd6771e4d2112168ed1dd6c0e54","status":"affected","versionType":"git"},{"version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","lessThan":"fedd2e1630cac920844997227ccbe7b26a76375a","status":"affected","versionType":"git"},{"version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","lessThan":"f04733c4dc40c43899c3d1c97afbae5831a3770f","status":"affected","versionType":"git"},{"version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","lessThan":"9a18629f2525781f0f3dda7be72b204e4cf77d08","status":"affected","versionType":"git"},{"version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","lessThan":"63d45077b97bb0e0fe0c75931acbbca7a47af141","status":"affected","versionType":"git"},{"version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","lessThan":"ba8bda9a0896746053aa97ac6c3e08168729172c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/virtio_net.c"],"versions":[{"version":"2.6.26","status":"affected"},{"version":"0","lessThan":"2.6.26","status":"unaffected","versionType":"semver"},{"version":"5.10.253","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.168","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.131","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.80","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.26","versionEndExcluding":"5.10.253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.26","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.26","versionEndExcluding":"6.1.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.26","versionEndExcluding":"6.6.131"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.26","versionEndExcluding":"6.12.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.26","versionEndExcluding":"6.18.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.26","versionEndExcluding":"6.19.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.26","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/be0e63f3b97bbaf453c542e8a15ba2a536e2ac01"},{"url":"https://git.kernel.org/stable/c/c1ec36cb3768574b916f20d2d7415fd14fa1bf12"},{"url":"https://git.kernel.org/stable/c/8a4790850e710fd6771e4d2112168ed1dd6c0e54"},{"url":"https://git.kernel.org/stable/c/fedd2e1630cac920844997227ccbe7b26a76375a"},{"url":"https://git.kernel.org/stable/c/f04733c4dc40c43899c3d1c97afbae5831a3770f"},{"url":"https://git.kernel.org/stable/c/9a18629f2525781f0f3dda7be72b204e4cf77d08"},{"url":"https://git.kernel.org/stable/c/63d45077b97bb0e0fe0c75931acbbca7a47af141"},{"url":"https://git.kernel.org/stable/c/ba8bda9a0896746053aa97ac6c3e08168729172c"}],"title":"virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false","x_generator":{"engine":"bippy-1.2.0"}}}}