Cyber Resilience

CVE-2026-31406

HighUpdated

Published: 06 April 2026

Published
06 April 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31406 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31406 is a race condition vulnerability in the Linux kernel's xfrm subsystem, specifically within the xfrm_nat_keepalive_net_fini() function. During network namespace cleanup, cancel_delayed_work_sync() is called on nat_keepalive_work, followed by xfrm_state_fini() which flushes states via __xfrm_state_delete(). This can trigger xfrm_nat_keepalive_state_updated() to re-schedule the delayed work on a CPU while the network namespace is being freed on another CPU, resulting in the work executing on a freed net structure and causing a use-after-free.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N) in an unsandboxed context (S:U). Successful exploitation could grant high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8. The race occurs across cleanup rounds involving rcu_barrier(), net_complete_free(), and deferred freeing, potentially allowing arbitrary code execution, denial of service, or data corruption via the freed memory access.

Kernel patch advisories address this via commits in stable branches, such as https://git.kernel.org/stable/c/21f2fc49ca6faa393c31da33b8a4e6c41fc84c13 and others linked, which replace cancel_delayed_work_sync() with disable_delayed_work_sync() to prevent re-scheduling after cancellation. Security practitioners should update to kernels incorporating these fixes to mitigate the issue.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() After cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work. The following is a…

more

simple race scenario: cpu0 cpu1 cleanup_net() [Round 1] ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fini() cancel_delayed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_state_flush() xfrm_state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_state_updated(x) schedule_delayed_work(nat_keepalive_work); rcu_barrier(); net_complete_free(); net_passive_dec(net); llist_add(&net->defer_free_list, &defer_free_list); cleanup_net() [Round 2] rcu_barrier(); net_complete_free() kmem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF race condition in xfrm allows low-privileged attacker to achieve arbitrary code execution/priv esc (high C/I/A impact) via exploitation of the vulnerability itself.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 6.11 — 6.12.80 · 6.13 — 6.18.21 · 6.19 — 6.19.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the race condition and use-after-free by requiring timely application of the kernel patch replacing cancel_delayed_work_sync with disable_delayed_work_sync during network namespace cleanup.

prevent

Vulnerability scanning identifies the presence of this specific CVE in Linux kernels, enabling targeted patching and remediation.

prevent

Ensures receipt and action on kernel patch advisories detailing the fix for this xfrm NAT keepalive race condition.

References