CVE-2026-31471
Published: 22 April 2026
Summary
CVE-2026-31471 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the use-after-free flaw in Linux kernel iptfs_clone_state by applying upstream patches to prevent exploitation.
Implements memory protections such as kernel address space randomization and non-executable memory to mitigate exploitation of the dangling mode_data pointer.
Supports vulnerability scanning to identify systems affected by CVE-2026-31471 based on kernel version, enabling targeted patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in xfrm iptfs allows low-priv attacker to escalate privileges (direct match to T1068 Exploitation for Privilege Escalation); high CIA impact confirms kernel code execution path.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: only publish mode_data after clone setup iptfs_clone_state() stores x->mode_data before allocating the reorder window. If that allocation fails, the code frees the cloned state and returns -ENOMEM, leaving…
more
x->mode_data pointing at freed memory. The xfrm clone unwind later runs destroy_state() through x->mode_data, so the failed clone path tears down IPTFS state that clone_state() already freed. Keep the cloned IPTFS state private until all allocations succeed so failed clones leave x->mode_data unset. The destroy path already handles a NULL mode_data pointer.
Deeper analysisAI
CVE-2026-31471 is a vulnerability in the Linux kernel's xfrm iptfs implementation. The issue occurs in iptfs_clone_state(), where x->mode_data is stored before allocating the reorder window. If the allocation fails, the code frees the cloned state and returns -ENOMEM, leaving x->mode_data pointing to freed memory. Subsequent xfrm clone unwind processing then invokes destroy_state() on the dangling pointer, resulting in a use-after-free condition.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Exploitation leads to high impacts on confidentiality, integrity, and availability, as scored at CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Mitigation requires applying upstream patches from Linux kernel stable branches, as detailed in the following commit references: https://git.kernel.org/stable/c/371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1, https://git.kernel.org/stable/c/5784a1e2889c9525a8f036cb586930e232170bf7, and https://git.kernel.org/stable/c/d849a2f7309fc0616e79d13b008b0a47e0458b6e. These patches ensure cloned IPTFS state remains private until all allocations succeed, preventing mode_data from being set on failed clones.
Details
- CWE(s)