CVE-2026-31663
Published: 24 April 2026
Summary
CVE-2026-31663 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of the kernel flaw that defers dev_put() after NF_HOOK to eliminate the xfrm race condition with device teardown.
Vulnerability scanning identifies Linux kernels prior to the stable patches, enabling targeted remediation of affected systems.
Least functionality restricts or disables unnecessary IPsec/xfrm processing paths, reducing the attack surface for triggering the skb->dev race.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in xfrm_input allows direct exploitation for privilege escalation to root via crafted IPsec traffic triggering the race.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transport_finish NF_HOOK After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside…
more
NF_HOOK and its okfn, which can race with device teardown. Remove the dev_put from the async resumption entry and instead drop the reference after the NF_HOOK call in transport_finish, using a saved device pointer since NF_HOOK may consume the skb. This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip the okfn. For non-transport exits (decaps, gro, drop) and secondary async return points, release the reference inline when async is set.
Deeper analysisAI
CVE-2026-31663 is a vulnerability in the Linux kernel's xfrm subsystem, which handles IPsec processing. The issue arises in the xfrm_input_resume() function during async cryptography completion, where dev_put() is called too early on the skb->dev reference before the skb reaches transport_finish and its NF_HOOK call. This creates a race condition with device teardown, as the skb->dev pointer is still accessed in NF_HOOK and its okfn (including NF_DROP, NF_QUEUE, and NF_STOLEN paths), potentially leading to use-after-free or invalid memory access. The vulnerability affects Linux kernel versions prior to the application of the referenced stable patches.
A local attacker with low privileges (AV:L/AC:L/PR:L) can exploit this vulnerability without user interaction (UI:N) in a single-instance scope (S:U). Successful exploitation could result in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8. The attacker would need access to a system running a vulnerable kernel and likely trigger the xfrm input path via IPsec traffic processing.
Mitigation involves applying the upstream kernel patches from the provided stable commit references: https://git.kernel.org/stable/c/0f451b43c88bf2b9c038b414be580efee42e031b, https://git.kernel.org/stable/c/1c428b03840094410c5fb6a5db30640486bbbfcb, and https://git.kernel.org/stable/c/5002beda5cac69d522dc54da0d5d463ed9c963d2. These commits adjust the device reference handling by deferring dev_put() until after NF_HOOK in transport_finish using a saved device pointer, while releasing references inline for other async exit paths like decaps, GRO, or drops. Security practitioners should update to a kernel version incorporating these fixes and monitor for systems using IPsec/xfrm features.
Details
- CWE(s)