CVE-2026-31504

Summary

In the Linux kernel, the following vulnerability has been resolved:

net: fix fanout UAF in packet_release() via NETDEV_UP race

packet_release() has a race window where NETDEV_UP can re-register a socket into a fanout group's arr[] array. The re-registration is not cleaned up by fanout_release(), leaving a dangling pointer in the fanout array. packet_release() does NOT zero po->num in its bind_lock section. After releasing bind_lock, po->num is still non-zero and po->ifindex still matches the bound device. A concurrent packet_notifier(NETDEV_UP) that already found the socket in sklist can re-register the hook. For fanout sockets, this re-registration calls __fanout_link(sk, po) which adds the socket back into f->arr[] and increments f->num_members, but does NOT increment f->sk_ref.

The fix sets po->num to zero in packet_release while bind_lock is held to prevent NETDEV_UP from linking, preventing the race window.

This bug was found following an additional audit with Claude Code based on CVE-2025-38617.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxce06b03e60fc19c680d1bf873e779bf11c2fc518 < ee642b1962caa9aa231c01abbd58bc453ae6b66eaffected
LinuxLinuxce06b03e60fc19c680d1bf873e779bf11c2fc518 < 42cfd7898eeed290c9fb73f732af1f7d6b0a703eaffected
LinuxLinuxce06b03e60fc19c680d1bf873e779bf11c2fc518 < 1b4c03f8892d955385c202009af7485364731bb9affected
LinuxLinuxce06b03e60fc19c680d1bf873e779bf11c2fc518 < 654386baef228c2992dbf604c819e4c7c35fc71baffected
LinuxLinuxce06b03e60fc19c680d1bf873e779bf11c2fc518 < 75fe6db23705a1d55160081f7b37db9665b1880baffected
LinuxLinuxce06b03e60fc19c680d1bf873e779bf11c2fc518 < d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6affected
LinuxLinuxce06b03e60fc19c680d1bf873e779bf11c2fc518 < ceccbfc6de720ad633519a226715989cfb065af1affected
LinuxLinuxce06b03e60fc19c680d1bf873e779bf11c2fc518 < 42156f93d123436f2a27c468f18c966b7e5db796affected
LinuxLinux3.1affected
LinuxLinux0 < 3.1unaffected
LinuxLinux5.10.253 <= 5.10.*unaffected
LinuxLinux5.15.203 <= 5.15.*unaffected
LinuxLinux6.1.168 <= 6.1.*unaffected
LinuxLinux6.6.131 <= 6.6.*unaffected
LinuxLinux6.12.80 <= 6.12.*unaffected
LinuxLinux6.18.21 <= 6.18.*unaffected
LinuxLinux6.19.11 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References