CVE-2026-31680
Published: 25 April 2026
Summary
CVE-2026-31680 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-31680 is a use-after-free vulnerability in the Linux kernel's IPv6 flowlabel subsystem. The issue arises in the `ip6fl_seq_show()` function, which iterates over the global flowlabel hash table under a seq-file RCU read-side lock and accesses `fl->opt->opt_nflen` when an option block exists. For exclusive flowlabels, `fl->opt` is freed prematurely in `fl_release()` once `fl->users` reaches zero, while the enclosing `struct ip6_flowlabel` remains visible in the hash table until later RCU garbage collection invokes `fl_free_rcu()`. This creates a race where a concurrent reader of `/proc/net/ip6_flowlabel` can dereference the freed option state, resulting in a crash.
A local attacker with low privileges (PR:L) can exploit this vulnerability due to its low attack complexity (AC:L) and lack of user interaction (UI:N). By racing the early `kfree()` of `fl->opt` against a read of `/proc/net/ip6_flowlabel`, the attacker triggers a kernel crash. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability.
The provided references point to stable kernel patches that resolve the issue by deferring the free of `fl->opt` until `fl_free_rcu()` during RCU teardown. This ensures the option block's lifetime aligns with the flowlabel's visibility to RCU readers, preventing the use-after-free race. Affected systems should apply these commits, such as 3c54b66c83fb8fcbde8e6a7bf90b65856e39f827 and others listed in the kernel stable repositories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25647
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is…
more
present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection removes it and `fl_free_rcu()` finally tears it down. A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that early `kfree()` and dereference freed option state, triggering a crash in `ip6fl_seq_show()`. Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches the lifetime already required for the enclosing flowlabel while readers can still reach it under RCU.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF with high C/I/A impact directly enables exploitation for privilege escalation (T1068) and system/application exploitation leading to DoS via kernel crash (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the use-after-free vulnerability in the Linux kernel's IPv6 flowlabel subsystem by applying the specific stable kernel patches that defer fl->opt freeing until RCU teardown.
Enables identification of affected kernel versions vulnerable to CVE-2026-31680 through regular automated vulnerability scanning.
Implements memory protection mechanisms such as kernel address space layout randomization that mitigate exploitation of the use-after-free race condition.