Cyber Resilience

CVE-2026-31504

High

Published: 22 April 2026

Published
22 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 2.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31504 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Not Applicable risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31504 is a use-after-free (UAF) vulnerability in the Linux kernel's networking subsystem, specifically within the packet_release() function. It arises from a race condition involving the NETDEV_UP notifier, where a socket can be re-registered into a fanout group's arr[] array after release. This leaves a dangling pointer because fanout_release() does not clean up the re-registration, as po->num is not zeroed under the bind_lock, allowing concurrent NETDEV_UP events to invoke __fanout_link() and add the socket back without properly incrementing sk_ref.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation involves triggering the race during socket release on a bound device, leading to the UAF in the fanout array, which could enable arbitrary code execution, data corruption, or denial of service.

Kernel stable patches available at the referenced git commits mitigate the issue by setting po->num to zero while holding the bind_lock in packet_release(), closing the race window and preventing NETDEV_UP from re-linking the socket.

This vulnerability was discovered through an audit using Claude Code, building on analysis of CVE-2025-38617, with no public reports of real-world exploitation as of its publication on 2026-04-22.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not…

more

cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Not Applicable
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF race condition in packet_release() directly provides an exploitable primitive for arbitrary code execution from low privileges, mapping to T1068 Exploitation for Privilege Escalation (AV:L/PR:L).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31554Same product: Linux Linux Kernel
CVE-2026-45951Same product: Linux Linux Kernel
CVE-2025-21796Same product: Linux Linux Kernel
CVE-2026-23462Same product: Linux Linux Kernel
CVE-2026-45980Same product: Linux Linux Kernel
CVE-2026-23336Same product: Linux Linux Kernel
CVE-2025-21731Same product: Linux Linux Kernel
CVE-2023-52983Same product: Linux Linux Kernel
CVE-2026-23192Same product: Linux Linux Kernel
CVE-2026-31473Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
3.1, 7.0 · 3.1.1 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.168

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the UAF race condition by requiring timely application of the kernel patch that sets po->num to zero while holding bind_lock in packet_release(), preventing re-registration via NETDEV_UP.

prevent

Provides memory safeguards like ASLR and non-executable memory that hinder exploitation of the dangling pointer in the fanout array for code execution or corruption even if unpatched.

detect

Enables vulnerability scanning to identify systems affected by this specific kernel networking UAF, triggering remediation to close the race window.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (1 rule)
  • V-248592 OL 8 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416
RHEL 8 (1 rule)
  • V-230279 RHEL 8 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416
RHEL 9 (1 rule)
  • V-257794 RHEL 9 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416

References