{"id":"CVE-2026-31504","summary":"net: fix fanout UAF in packet_release() via NETDEV_UP race","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group's `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po-\u003enum` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po-\u003enum` is still non-zero and `po-\u003eifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f-\u003earr[]` and increments `f-\u003enum_members`,\nbut does NOT increment `f-\u003esk_ref`.\n\nThe fix sets `po-\u003enum` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617.","modified":"2026-07-09T18:30:07.058060188Z","published":"2026-04-22T13:54:23.862Z","related":["SUSE-SU-2026:2068-1","SUSE-SU-2026:2111-1","SUSE-SU-2026:21834-1","SUSE-SU-2026:21841-1","SUSE-SU-2026:21845-1","SUSE-SU-2026:21860-1","SUSE-SU-2026:21876-1","SUSE-SU-2026:21877-1","SUSE-SU-2026:21916-1","SUSE-SU-2026:21919-1","SUSE-SU-2026:2195-1","SUSE-SU-2026:2202-1","SUSE-SU-2026:2215-1","SUSE-SU-2026:2216-1","SUSE-SU-2026:2217-1","SUSE-SU-2026:22276-1","SUSE-SU-2026:22277-1","SUSE-SU-2026:22278-1","SUSE-SU-2026:22279-1","SUSE-SU-2026:22280-1","SUSE-SU-2026:22281-1","SUSE-SU-2026:22282-1","SUSE-SU-2026:22283-1","SUSE-SU-2026:22288-1","SUSE-SU-2026:2238-1","SUSE-SU-2026:22383-1","SUSE-SU-2026:22384-1","SUSE-SU-2026:22385-1","SUSE-SU-2026:22386-1","SUSE-SU-2026:22387-1","SUSE-SU-2026:22388-1","SUSE-SU-2026:22389-1","SUSE-SU-2026:22390-1","SUSE-SU-2026:22391-1","SUSE-SU-2026:22396-1","SUSE-SU-2026:22397-1","SUSE-SU-2026:22398-1","SUSE-SU-2026:22399-1","SUSE-SU-2026:22400-1","SUSE-SU-2026:22401-1","SUSE-SU-2026:22402-1","SUSE-SU-2026:22403-1","SUSE-SU-2026:22404-1","SUSE-SU-2026:22405-1","SUSE-SU-2026:22406-1","SUSE-SU-2026:22407-1","SUSE-SU-2026:22408-1","SUSE-SU-2026:22409-1","SUSE-SU-2026:22410-1","SUSE-SU-2026:22411-1","SUSE-SU-2026:22412-1","SUSE-SU-2026:22413-1","SUSE-SU-2026:22414-1","SUSE-SU-2026:22415-1","SUSE-SU-2026:22416-1","SUSE-SU-2026:22417-1","SUSE-SU-2026:22418-1","SUSE-SU-2026:22419-1","SUSE-SU-2026:22420-1","SUSE-SU-2026:22421-1","SUSE-SU-2026:22425-1","SUSE-SU-2026:22426-1","SUSE-SU-2026:22427-1","SUSE-SU-2026:22428-1","SUSE-SU-2026:22461-1","SUSE-SU-2026:22462-1","SUSE-SU-2026:22463-1","SUSE-SU-2026:22464-1","SUSE-SU-2026:22465-1","SUSE-SU-2026:22466-1","SUSE-SU-2026:22467-1","SUSE-SU-2026:22468-1","SUSE-SU-2026:22469-1","SUSE-SU-2026:22470-1","SUSE-SU-2026:22471-1","SUSE-SU-2026:22472-1","SUSE-SU-2026:22473-1","SUSE-SU-2026:22474-1","SUSE-SU-2026:22475-1","SUSE-SU-2026:22476-1","SUSE-SU-2026:22478-1","SUSE-SU-2026:22479-1","SUSE-SU-2026:22480-1","SUSE-SU-2026:22481-1","SUSE-SU-2026:22482-1","SUSE-SU-2026:22483-1","SUSE-SU-2026:22484-1","SUSE-SU-2026:22485-1","SUSE-SU-2026:22486-1","SUSE-SU-2026:22487-1","SUSE-SU-2026:22488-1","SUSE-SU-2026:22489-1","SUSE-SU-2026:22490-1","SUSE-SU-2026:22491-1","SUSE-SU-2026:22507-1","SUSE-SU-2026:22508-1","SUSE-SU-2026:22509-1","SUSE-SU-2026:2494-1","SUSE-SU-2026:2496-1","SUSE-SU-2026:2500-1","SUSE-SU-2026:2503-1","SUSE-SU-2026:2511-1","SUSE-SU-2026:2518-1","SUSE-SU-2026:2520-1","SUSE-SU-2026:2532-1","SUSE-SU-2026:2549-1","SUSE-SU-2026:2559-1","SUSE-SU-2026:2567-1","SUSE-SU-2026:2571-1","SUSE-SU-2026:2588-1","SUSE-SU-2026:2592-1","SUSE-SU-2026:2594-1","SUSE-SU-2026:2601-1","SUSE-SU-2026:2603-1","SUSE-SU-2026:2607-1","SUSE-SU-2026:2608-1","SUSE-SU-2026:2610-1","openSUSE-SU-2026:20826-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31504.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1b4c03f8892d955385c202009af7485364731bb9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/42156f93d123436f2a27c468f18c966b7e5db796"},{"type":"WEB","url":"https://git.kernel.org/stable/c/42cfd7898eeed290c9fb73f732af1f7d6b0a703e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/654386baef228c2992dbf604c819e4c7c35fc71b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/75fe6db23705a1d55160081f7b37db9665b1880b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ceccbfc6de720ad633519a226715989cfb065af1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ee642b1962caa9aa231c01abbd58bc453ae6b66e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31504.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31504"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ce06b03e60fc19c680d1bf873e779bf11c2fc518"},{"fixed":"ee642b1962caa9aa231c01abbd58bc453ae6b66e"},{"fixed":"42cfd7898eeed290c9fb73f732af1f7d6b0a703e"},{"fixed":"1b4c03f8892d955385c202009af7485364731bb9"},{"fixed":"654386baef228c2992dbf604c819e4c7c35fc71b"},{"fixed":"75fe6db23705a1d55160081f7b37db9665b1880b"},{"fixed":"d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6"},{"fixed":"ceccbfc6de720ad633519a226715989cfb065af1"},{"fixed":"42156f93d123436f2a27c468f18c966b7e5db796"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31504.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.1.0"},{"fixed":"5.10.253"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.203"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.168"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.131"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.80"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.21"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31504.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}