Cyber Resilience

CVE-2026-31663

High

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31663 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-31663 is a vulnerability in the Linux kernel's xfrm subsystem, which handles IPsec processing. The issue arises in the xfrm_input_resume() function during async cryptography completion, where dev_put() is called too early on the skb->dev reference before the skb reaches transport_finish and its NF_HOOK call. This creates a race condition with device teardown, as the skb->dev pointer is still accessed in NF_HOOK and its okfn (including NF_DROP, NF_QUEUE, and NF_STOLEN paths), potentially leading to use-after-free or invalid memory access. The vulnerability affects Linux kernel versions prior to the application of the referenced stable patches.

A local attacker with low privileges (AV:L/AC:L/PR:L) can exploit this vulnerability without user interaction (UI:N) in a single-instance scope (S:U). Successful exploitation could result in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8. The attacker would need access to a system running a vulnerable kernel and likely trigger the xfrm input path via IPsec traffic processing.

Mitigation involves applying the upstream kernel patches from the provided stable commit references: https://git.kernel.org/stable/c/0f451b43c88bf2b9c038b414be580efee42e031b, https://git.kernel.org/stable/c/1c428b03840094410c5fb6a5db30640486bbbfcb, and https://git.kernel.org/stable/c/5002beda5cac69d522dc54da0d5d463ed9c963d2. These commits adjust the device reference handling by deferring dev_put() until after NF_HOOK in transport_finish using a saved device pointer, while releasing references inline for other async exit paths like decaps, GRO, or drops. Security practitioners should update to a kernel version incorporating these fixes and monitor for systems using IPsec/xfrm features.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transport_finish NF_HOOK After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside…

more

NF_HOOK and its okfn, which can race with device teardown. Remove the dev_put from the async resumption entry and instead drop the reference after the NF_HOOK call in transport_finish, using a saved device pointer since NF_HOOK may consume the skb. This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip the okfn. For non-transport exits (decaps, gro, drop) and secondary async return points, release the reference inline when async is set.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in xfrm_input allows direct exploitation for privilege escalation to root via crafted IPsec traffic triggering the race.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.15, 7.0 · 3.2.100 — 3.3 · 3.16.55 — 3.17 · 4.14.24 — 4.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the kernel flaw that defers dev_put() after NF_HOOK to eliminate the xfrm race condition with device teardown.

detect

Vulnerability scanning identifies Linux kernels prior to the stable patches, enabling targeted remediation of affected systems.

prevent

Least functionality restricts or disables unnecessary IPsec/xfrm processing paths, reducing the attack surface for triggering the skb->dev race.

References