Cyber Resilience

CVE-2026-31469

High

Published: 22 April 2026

Published
22 April 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31469 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-31469 is a Use-After-Free (UAF) vulnerability in the Linux kernel's virtio_net driver. It arises when the driver is configured with napi_tx disabled (napi_tx=N) and the device's IFF_XMIT_DST_RELEASE flag is cleared, such as during the setup of tc route filter rules. Under these conditions, skbs may linger in the virtio transmit ring. If the network namespace is destroyed while these skbs remain pending, the associated dst_ops structure is freed. A subsequent packet transmission triggers free_old_xmit(), which calls dst_release() on a stale dst_entry, referencing the already-freed dst_ops and resulting in a kernel paging request fault.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N) in an unprivileged scope (S:U). By configuring tc qdisc route filters to clear IFF_XMIT_DST_RELEASE, moving the device to a network namespace, sending traffic (e.g., ping), and deleting the namespace—then repeating—the attacker triggers the UAF during cleanup of pending skbs. This leads to a kernel crash via an unhandled paging request, with potential for high confidentiality, integrity, and availability impacts (CVSS 7.8), as indicated by the UAF nature.

The vulnerability is addressed in multiple stable kernel patches, available at kernel.org git commits such as 63d45077b97bb0e0fe0c75931acbbca7a47af141, 8a4790850e710fd6771e4d2112168ed1dd6c0e54, and others. The fix adds skb_dst_drop(skb) in the start_xmit function to explicitly release the dst reference before queuing the skb in virtio_net, preventing the reference from persisting after namespace destruction. Security practitioners should update to patched kernel versions to mitigate exposure in virtio_net environments.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false A UAF issue occurs when the virtio_net driver is configured with napi_tx=N and the device's IFF_XMIT_DST_RELEASE flag…

more

is cleared (e.g., during the configuration of tc route filter rules). When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack expects the driver to hold the reference to skb->dst until the packet is fully transmitted and freed. In virtio_net with napi_tx=N, skbs may remain in the virtio transmit ring for an extended period. If the network namespace is destroyed while these skbs are still pending, the corresponding dst_ops structure has freed. When a subsequent packet is transmitted, free_old_xmit() is triggered to clean up old skbs. It then calls dst_release() on the skb associated with the stale dst_entry. Since the dst_ops (referenced by the dst_entry) has already been freed, a UAF kernel paging request occurs. fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release the dst reference before the skb is queued in virtio_net. Call Trace: Unable to handle kernel paging request at virtual address ffff80007e150000 CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT ... percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P) dst_release+0xe0/0x110 net/core/dst.c:177 skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177 sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255 dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469 napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527 __free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net] free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net] start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net] ... Reproduction Steps: NETDEV="enp3s0" config_qdisc_route_filter() { tc qdisc del dev $NETDEV root tc qdisc add dev $NETDEV root handle 1: prio tc filter add dev $NETDEV parent 1:0 \ protocol ip prio 100 route to 100 flowid 1:1 ip route add 192.168.1.100/32 dev $NETDEV realm 100 } test_ns() { ip netns add testns ip link set $NETDEV netns testns ip netns exec testns ifconfig $NETDEV 10.0.32.46/24 ip netns exec testns ping -c 1 10.0.32.1 ip netns del testns } config_qdisc_route_filter test_ns sleep 2 test_ns

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local kernel UAF in virtio_net enables privilege escalation via memory corruption (T1068) and direct DoS via triggered kernel paging fault/crash (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31419Same product: Linux Linux Kernel
CVE-2025-21883Same product: Linux Linux Kernel
CVE-2026-43056Same product: Linux Linux Kernel
CVE-2025-21791Same product: Linux Linux Kernel
CVE-2025-21751Same product: Linux Linux Kernel
CVE-2026-31511Same product: Linux Linux Kernel
CVE-2026-23171Same product: Linux Linux Kernel
CVE-2026-31580Same product: Linux Linux Kernel
CVE-2023-53023Same product: Linux Linux Kernel
CVE-2024-57795Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 2.6.26 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.168

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the UAF in virtio_net by requiring timely application of kernel patches that add skb_dst_drop() to release dst references properly.

prevent

Kernel memory protections like ASLR, SMAP, and stack canaries reduce the exploitability and impact of the UAF on dst_ops structures.

prevent

Enforces secure baseline configurations for virtio_net parameters (e.g., enabling napi_tx) and network stack flags to avoid conditions triggering the UAF.

References