Cyber Resilience

CVE-2026-31673

HighUpdated

Published: 25 April 2026

Published
25 April 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31673 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31673 is a vulnerability in the Linux kernel's af_unix implementation, specifically affecting the handling of UNIX_DIAG_VFS data during netlink diagnostics. Exact UNIX diag lookups hold a reference to the socket but not to u->path, while unix_release_sock() clears u->path under unix_state_lock() and drops the path reference afterward. This creates a race condition where VFS data (inode and device numbers) may be read unstably during reply construction. The issue was published on 2026-04-25 and carries a CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction. Exploitation involves racing the diagnostic lookup against socket release to access unstable or freed u->path data in the netlink reply, potentially leading to high impacts on confidentiality, integrity, and availability, such as information disclosure, data corruption, or denial of service.

Patches addressing this vulnerability are available in Linux kernel stable trees via the following commits: https://git.kernel.org/stable/c/0c739f3785f84af695952c2bac8be2f45082c9b8, https://git.kernel.org/stable/c/39897df386376912d561d4946499379effa1e7ef, https://git.kernel.org/stable/c/900a4e0910e98b8caef117d5df00471fa438dcf9, https://git.kernel.org/stable/c/b9232421a77a649c9376c99fdfc8cb7f79cad34c, and https://git.kernel.org/stable/c/bdf206e740bf2919d818f132c8c9cc7ed91d11c0. Security practitioners should apply these updates to mitigate the race condition by reading VFS data under unix_state_lock() before emitting netlink attributes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path…

more

reference after unlocking. Read the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emit the netlink attribute after dropping the lock. This keeps the VFS data stable while the reply is being built.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel race condition in af_unix netlink diagnostics directly enables exploitation for privilege escalation (T1068) by a low-privileged attacker, with secondary potential for info disclosure or DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 3.3 — 6.6.136 · 6.7 — 6.12.83 · 6.13 — 6.18.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying available Linux kernel patches directly resolves the race condition by reading UNIX_DIAG_VFS data under unix_state_lock.

detect

Vulnerability scanning identifies deployed kernels vulnerable to CVE-2026-31673 for targeted remediation.

detect

Receiving kernel security advisories and directives ensures awareness of CVE-2026-31673 and prompt patching.

References