Cyber Resilience

CVE-2026-31680

High

Published: 25 April 2026

Published
25 April 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31680 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31680 is a use-after-free vulnerability in the Linux kernel's IPv6 flowlabel subsystem. The issue arises in the `ip6fl_seq_show()` function, which iterates over the global flowlabel hash table under a seq-file RCU read-side lock and accesses `fl->opt->opt_nflen` when an option block exists. For exclusive flowlabels, `fl->opt` is freed prematurely in `fl_release()` once `fl->users` reaches zero, while the enclosing `struct ip6_flowlabel` remains visible in the hash table until later RCU garbage collection invokes `fl_free_rcu()`. This creates a race where a concurrent reader of `/proc/net/ip6_flowlabel` can dereference the freed option state, resulting in a crash.

A local attacker with low privileges (PR:L) can exploit this vulnerability due to its low attack complexity (AC:L) and lack of user interaction (UI:N). By racing the early `kfree()` of `fl->opt` against a read of `/proc/net/ip6_flowlabel`, the attacker triggers a kernel crash. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability.

The provided references point to stable kernel patches that resolve the issue by deferring the free of `fl->opt` until `fl_free_rcu()` during RCU teardown. This ensures the option block's lifetime aligns with the flowlabel's visibility to RCU readers, preventing the use-after-free race. Affected systems should apply these commits, such as 3c54b66c83fb8fcbde8e6a7bf90b65856e39f827 and others listed in the kernel stable repositories.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is…

more

present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection removes it and `fl_free_rcu()` finally tears it down. A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that early `kfree()` and dereference freed option state, triggering a crash in `ip6fl_seq_show()`. Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches the lifetime already required for the enclosing flowlabel while readers can still reach it under RCU.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local kernel UAF with high C/I/A impact directly enables exploitation for privilege escalation (T1068) and system/application exploitation leading to DoS via kernel crash (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31558Same product: Linux Linux Kernel
CVE-2025-21680Same product: Linux Linux Kernel
CVE-2026-31419Same product: Linux Linux Kernel
CVE-2026-23350Same product: Linux Linux Kernel
CVE-2025-21647Same product: Linux Linux Kernel
CVE-2025-21791Same product: Linux Linux Kernel
CVE-2026-31502Same product: Linux Linux Kernel
CVE-2025-21883Same product: Linux Linux Kernel
CVE-2026-31548Same product: Linux Linux Kernel
CVE-2026-31485Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 3.9 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.168

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the use-after-free vulnerability in the Linux kernel's IPv6 flowlabel subsystem by applying the specific stable kernel patches that defer fl->opt freeing until RCU teardown.

detect

Enables identification of affected kernel versions vulnerable to CVE-2026-31680 through regular automated vulnerability scanning.

prevent

Implements memory protection mechanisms such as kernel address space layout randomization that mitigate exploitation of the use-after-free race condition.

References