CVE-2026-31419
Published: 13 April 2026
Summary
CVE-2026-31419 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-31419 is a use-after-free vulnerability in the Linux kernel's networking bonding driver, specifically within the bond_xmit_broadcast() function. The issue arises during broadcast transmission over a bonded interface, where the function reuses the original socket buffer (skb) for the last slave device—identified via the racy bond_is_last_slave() check—and clones it for preceding slaves. Concurrent enslavement or release of slave devices can mutate the slave list mid-iteration under RCU protection, altering which slave is deemed "last" and resulting in the original skb being double-freed.
A local attacker with low privileges can exploit this vulnerability by triggering the race condition, for example, through concurrent slave operations while sending UDP packets (such as IPv6 UDP via sendto) over a bonding interface in broadcast mode. Successful exploitation leads to a kernel crash, as demonstrated by a KASAN-reported slab-use-after-free in skb_clone, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The use-after-free could enable denial of service or potentially more severe impacts like arbitrary code execution, depending on kernel configuration and mitigations like KASAN.
Kernel patches addressing this vulnerability are available in stable releases via the referenced commits: 2884bf72fb8f03409e423397319205de48adca16, d4cc7e4c80b1634c7b1497574a2fdb18df6c026c, and f5b94654a4a19891a8108d66ef166de6c028c6cd. These replace the racy bond_is_last_slave() check with a stable index comparison (i + 1 == slaves_count) against a pre-loop snapshot of the slave count obtained via READ_ONCE(), preserving the zero-copy optimization for the last slave while preventing double-frees from list mutations. Security practitioners should update affected Linux kernels promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21943
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bond_xmit_broadcast() bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave…
more
list during RCU-protected iteration, changing which slave is "last" mid-loop. This causes the original skb to be double-consumed (double-freed). Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop. This preserves the zero-copy optimization for the last slave while making the "last" determination stable against concurrent list mutations. The UAF can trigger the following crash: ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147 CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334) bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838) ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136) ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250) ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> Allocated by task 147: Freed by task 147: The buggy address belongs to the object at ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60) Memory state around the buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in kernel bonding driver directly enables exploitation for privilege escalation (T1068) via arbitrary code execution or endpoint DoS via kernel crash (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the use-after-free flaw in the Linux kernel bonding driver via application of available stable patches.
Memory protection safeguards like ASLR, DEP, and SMEP/SMAP mitigate exploitation of the double-freed skb for code execution or data leaks.
Vulnerability scanning identifies Linux kernels vulnerable to CVE-2026-31419 based on version checks against known affected releases.