Description
In the Linux kernel, the following vulnerability has been resolved:

net: fix fanout UAF in packet_release() via NETDEV_UP race

`packet_release()` has a race window where `NETDEV_UP` can re-register a
socket into a fanout group's `arr[]` array. The re-registration is not
cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout
array.
`packet_release()` does NOT zero `po->num` in its `bind_lock` section.
After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`
still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`
that already found the socket in `sklist` can re-register the hook.
For fanout sockets, this re-registration calls `__fanout_link(sk, po)`
which adds the socket back into `f->arr[]` and increments `f->num_members`,
but does NOT increment `f->sk_ref`.

The fix sets `po->num` to zero in `packet_release` while `bind_lock` is
held to prevent NETDEV_UP from linking, preventing the race window.

This bug was found following an additional audit with Claude Code based
on CVE-2025-38617.
Published: 2026-04-22
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: Execution of code due to a kernel use‑after‑free
Action: Apply patch
AI Analysis

Impact

The Linux kernel bug allows a race between packet_release() and a NETDEV_UP event that re‑registers a socket into a fanout group's array, leaving a dangling pointer and an unreset counter. Because the socket is later accessed through this dangling reference, an attacker who can control or influence socket lifecycle can potentially execute arbitrary code with kernel privileges. The weakness is a classic use‑after‑free race condition. The description does not detail a confirmed exploitation path, but the nature of the flaw warrants concern for code execution and privilege escalation.

Affected Systems

All Linux kernels versions prior to the fix commit (see references) are affected. The exact version range is not specified in the data, but any kernel build lacking the patch that sets po->num to zero inside packet_release() is vulnerable. This includes kernels that ship without the accompanying audit commit and those that have not incorporated the change from the provided Git commits.

Risk and Exploitability

The CVSS score is not supplied, but the bug involves a use‑after‑free with a potential for arbitrary code execution, indicating high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widely known exploitation yet. The likely attack vector would require local access to a process that can create and manipulate raw packet sockets and can trigger a NETDEV_UP event, such as by switching a network interface. The presence of the race window means that timely ordering of packet_release() and NETDEV_UP is critical for exploitation. If an attacker can orchestrate these events, they could hold an arbitrary kernel pointer and influence kernel memory.

Generated by OpenCVE AI on April 22, 2026 at 18:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • update the kernel to a version that includes the commit fixing packet_release() and fanout race conditions
  • review and incorporate any available patches from the linked Git kernel commits into custom kernel builds
  • ensure that configuration and custom network drivers do not otherwise expose raw packet sockets to untrusted users, and consider disabling fanout on sensitive interfaces if not required

Generated by OpenCVE AI on April 22, 2026 at 18:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.
Title net: fix fanout UAF in packet_release() via NETDEV_UP race
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-22T13:54:23.862Z

Reserved: 2026-03-09T15:48:24.105Z

Link: CVE-2026-31504

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-22T14:16:49.040

Modified: 2026-04-22T14:16:49.040

Link: CVE-2026-31504

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31504 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:45:24Z

Weaknesses