CVE-2026-31516
Published: 22 April 2026
Summary
CVE-2026-31516 is a high-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-31516 by requiring timely remediation through application of the upstream Linux kernel patch that synchronizes policy_hthresh.work in xfrm_policy_fini() during netns teardown.
Vulnerability monitoring and scanning identifies the presence of CVE-2026-31516 in kernel versions, enabling proactive patching before local exploitation.
Kernel memory protection mechanisms like KASLR and SMEP hinder exploitation of the use-after-free in xfrm_hash_rebuild() even if the race condition occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF race condition (XFRM netns teardown) directly enables arbitrary code execution from low-privileged context, matching T1068 Exploitation for Privilege Escalation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: prevent policy_hthresh.work from racing with netns teardown A XFRM_MSG_NEWSPDINFO request can queue the per-net work item policy_hthresh.work onto the system workqueue. The queued callback, xfrm_hash_rebuild(), retrieves the enclosing struct…
more
net via container_of(). If the net namespace is torn down before that work runs, the associated struct net may already have been freed, and xfrm_hash_rebuild() may then dereference stale memory. xfrm_policy_fini() already flushes policy_hash_work during teardown, but it does not synchronize policy_hthresh.work. Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the queued work cannot outlive the net namespace teardown and access a freed struct net.
Deeper analysisAI
CVE-2026-31516 is a race condition vulnerability in the Linux kernel's XFRM (IPsec) subsystem. It arises when an XFRM_MSG_NEWSPDINFO request queues the per-net work item policy_hthresh.work onto the system workqueue. The callback function xfrm_hash_rebuild() retrieves the enclosing struct net via container_of(), but if the network namespace (netns) is torn down before the work executes, the struct net may have been freed, leading to a use-after-free dereference of stale memory. The vulnerability is rated with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization of Critical Sections).
A local attacker with low privileges can exploit this vulnerability by triggering the XFRM_MSG_NEWSPDINFO request and then racing to tear down the netns before the queued work runs. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as kernel crashes, data corruption, or potential arbitrary code execution due to the use-after-free access to freed memory.
The provided references point to upstream Linux kernel stable patches that mitigate the issue. These commits synchronize policy_hthresh.work in xfrm_policy_fini() during netns teardown, ensuring the queued work cannot outlive the namespace and access freed struct net memory. Security practitioners should apply these patches to affected kernel versions.
Details
- CWE(s)