Cyber Resilience

CVE-2026-31419

HighUpdated

Published: 13 April 2026

Published
13 April 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31419 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31419 is a use-after-free vulnerability in the Linux kernel's networking bonding driver, specifically within the bond_xmit_broadcast() function. The issue arises during broadcast transmission over a bonded interface, where the function reuses the original socket buffer (skb) for the last slave device—identified via the racy bond_is_last_slave() check—and clones it for preceding slaves. Concurrent enslavement or release of slave devices can mutate the slave list mid-iteration under RCU protection, altering which slave is deemed "last" and resulting in the original skb being double-freed.

A local attacker with low privileges can exploit this vulnerability by triggering the race condition, for example, through concurrent slave operations while sending UDP packets (such as IPv6 UDP via sendto) over a bonding interface in broadcast mode. Successful exploitation leads to a kernel crash, as demonstrated by a KASAN-reported slab-use-after-free in skb_clone, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The use-after-free could enable denial of service or potentially more severe impacts like arbitrary code execution, depending on kernel configuration and mitigations like KASAN.

Kernel patches addressing this vulnerability are available in stable releases via the referenced commits: 2884bf72fb8f03409e423397319205de48adca16, d4cc7e4c80b1634c7b1497574a2fdb18df6c026c, and f5b94654a4a19891a8108d66ef166de6c028c6cd. These replace the racy bond_is_last_slave() check with a stable index comparison (i + 1 == slaves_count) against a pre-loop snapshot of the slave count obtained via READ_ONCE(), preserving the zero-copy optimization for the last slave while preventing double-frees from list mutations. Security practitioners should update affected Linux kernels promptly.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bond_xmit_broadcast() bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave…

more

list during RCU-protected iteration, changing which slave is "last" mid-loop. This causes the original skb to be double-consumed (double-freed). Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop. This preserves the zero-copy optimization for the last slave while making the "last" determination stable against concurrent list mutations. The UAF can trigger the following crash: ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147 CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334) bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838) ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136) ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250) ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> Allocated by task 147: Freed by task 147: The buggy address belongs to the object at ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60) Memory state around the buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local use-after-free in kernel bonding driver directly enables exploitation for privilege escalation (T1068) via arbitrary code execution or endpoint DoS via kernel crash (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21883Same product: Linux Linux Kernel
CVE-2026-43056Same product: Linux Linux Kernel
CVE-2025-21791Same product: Linux Linux Kernel
CVE-2025-21751Same product: Linux Linux Kernel
CVE-2026-31511Same product: Linux Linux Kernel
CVE-2026-23171Same product: Linux Linux Kernel
CVE-2026-31580Same product: Linux Linux Kernel
CVE-2023-53023Same product: Linux Linux Kernel
CVE-2024-57795Same product: Linux Linux Kernel
CVE-2026-31469Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 5.10.94 — 5.11 · 5.15.17 — 5.16 · 5.16.3 — 5.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the use-after-free flaw in the Linux kernel bonding driver via application of available stable patches.

prevent

Memory protection safeguards like ASLR, DEP, and SMEP/SMAP mitigate exploitation of the double-freed skb for code execution or data leaks.

detect

Vulnerability scanning identifies Linux kernels vulnerable to CVE-2026-31419 based on version checks against known affected releases.

References