CVE-2026-31700
Published: 01 May 2026
Summary
CVE-2026-31700 is a high-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the TOCTOU race by identifying, reporting, and correcting the flaw in tpacket_snd() through application of kernel patches that copy vnet_hdr to a stack-local variable.
Prevents unauthorized or unintended information transfer via the shared mmap'd TX ring buffer, eliminating the window for concurrent userspace modifications between kernel validation and use of vnet_hdr.
Requires validation of vnet_hdr information inputs from userspace shared memory, addressing bypass of safety checks though requiring additional measures like copies to fully resolve the TOCTOU race.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel TOCTOU race condition in tpacket_snd() with PACKET_VNET_HDR allows low-privileged attacker to bypass validation checks via userspace modification of shared mmap'd buffer, directly enabling kernel-level exploitation for privilege escalation with high C/I/A impact.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel validates…
more
the header via __packet_snd_vnet_parse() but then re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent userspace thread can modify the vnet_hdr fields between validation and use, bypassing all safety checks. The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr to a stack-local variable. All other vnet_hdr consumers in the kernel (tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX path is the only caller of virtio_net_hdr_to_skb() that reads directly from user-controlled shared memory. Fix this by copying vnet_hdr from the mmap'd ring buffer to a stack-local variable before validation and use, consistent with the approach used in packet_snd() and all other callers.
Deeper analysisAI
CVE-2026-31700 is a time-of-check-to-time-of-use (TOCTOU) race condition in the Linux kernel's net/packet subsystem, specifically within the tpacket_snd() function. The vulnerability arises when PACKET_VNET_HDR is enabled and vnet_hdr points directly into an mmap'd TX ring buffer shared with userspace. The kernel validates the header using __packet_snd_vnet_parse(), but later re-reads the fields in virtio_net_hdr_to_skb(), allowing modifications in the interim. This issue is unique to the TPACKET TX path, as other vnet_hdr consumers like packet_snd(), tun.c, tap.c, and virtio_net.c properly copy data to stack-local variables.
A local attacker with low privileges (AV:L/AC:L/PR:L) can exploit this by running a concurrent userspace thread that modifies the vnet_hdr fields in the shared mmap'd ring buffer after validation but before the kernel's subsequent read. This bypasses all safety checks, potentially leading to high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), as scored at CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The attacker requires access to a system running a vulnerable kernel with TPACKET and PACKET_VNET_HDR in use.
Mitigation involves applying upstream kernel patches, such as those in the referenced stable commits (e.g., 28324a3b62d9ce7f9bdd65a8ce63f382041d1b27, 2c054e17d9d41f1020376806c7f750834ced4dc5), which fix the issue by copying vnet_hdr from the mmap'd ring buffer to a stack-local variable before validation and use, aligning with the approach in packet_snd() and other kernel consumers.
Details
- CWE(s)