CVE-2026-31469
Published: 22 April 2026
Summary
CVE-2026-31469 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-31469 is a Use-After-Free (UAF) vulnerability in the Linux kernel's virtio_net driver. It arises when the driver is configured with napi_tx disabled (napi_tx=N) and the device's IFF_XMIT_DST_RELEASE flag is cleared, such as during the setup of tc route filter rules. Under these conditions, skbs may linger in the virtio transmit ring. If the network namespace is destroyed while these skbs remain pending, the associated dst_ops structure is freed. A subsequent packet transmission triggers free_old_xmit(), which calls dst_release() on a stale dst_entry, referencing the already-freed dst_ops and resulting in a kernel paging request fault.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N) in an unprivileged scope (S:U). By configuring tc qdisc route filters to clear IFF_XMIT_DST_RELEASE, moving the device to a network namespace, sending traffic (e.g., ping), and deleting the namespace—then repeating—the attacker triggers the UAF during cleanup of pending skbs. This leads to a kernel crash via an unhandled paging request, with potential for high confidentiality, integrity, and availability impacts (CVSS 7.8), as indicated by the UAF nature.
The vulnerability is addressed in multiple stable kernel patches, available at kernel.org git commits such as 63d45077b97bb0e0fe0c75931acbbca7a47af141, 8a4790850e710fd6771e4d2112168ed1dd6c0e54, and others. The fix adds skb_dst_drop(skb) in the start_xmit function to explicitly release the dst reference before queuing the skb in virtio_net, preventing the reference from persisting after namespace destruction. Security practitioners should update to patched kernel versions to mitigate exposure in virtio_net environments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24817
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false A UAF issue occurs when the virtio_net driver is configured with napi_tx=N and the device's IFF_XMIT_DST_RELEASE flag…
more
is cleared (e.g., during the configuration of tc route filter rules). When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack expects the driver to hold the reference to skb->dst until the packet is fully transmitted and freed. In virtio_net with napi_tx=N, skbs may remain in the virtio transmit ring for an extended period. If the network namespace is destroyed while these skbs are still pending, the corresponding dst_ops structure has freed. When a subsequent packet is transmitted, free_old_xmit() is triggered to clean up old skbs. It then calls dst_release() on the skb associated with the stale dst_entry. Since the dst_ops (referenced by the dst_entry) has already been freed, a UAF kernel paging request occurs. fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release the dst reference before the skb is queued in virtio_net. Call Trace: Unable to handle kernel paging request at virtual address ffff80007e150000 CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT ... percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P) dst_release+0xe0/0x110 net/core/dst.c:177 skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177 sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255 dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469 napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527 __free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net] free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net] start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net] ... Reproduction Steps: NETDEV="enp3s0" config_qdisc_route_filter() { tc qdisc del dev $NETDEV root tc qdisc add dev $NETDEV root handle 1: prio tc filter add dev $NETDEV parent 1:0 \ protocol ip prio 100 route to 100 flowid 1:1 ip route add 192.168.1.100/32 dev $NETDEV realm 100 } test_ns() { ip netns add testns ip link set $NETDEV netns testns ip netns exec testns ifconfig $NETDEV 10.0.32.46/24 ip netns exec testns ping -c 1 10.0.32.1 ip netns del testns } config_qdisc_route_filter test_ns sleep 2 test_ns
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in virtio_net enables privilege escalation via memory corruption (T1068) and direct DoS via triggered kernel paging fault/crash (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the UAF in virtio_net by requiring timely application of kernel patches that add skb_dst_drop() to release dst references properly.
Kernel memory protections like ASLR, SMAP, and stack canaries reduce the exploitability and impact of the UAF on dst_ops structures.
Enforces secure baseline configurations for virtio_net parameters (e.g., enabling napi_tx) and network stack flags to avoid conditions triggering the UAF.