Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm: prevent policy_hthresh.work from racing with netns teardown

A XFRM_MSG_NEWSPDINFO request can queue the per-net work item
policy_hthresh.work onto the system workqueue.

The queued callback, xfrm_hash_rebuild(), retrieves the enclosing
struct net via container_of(). If the net namespace is torn down
before that work runs, the associated struct net may already have
been freed, and xfrm_hash_rebuild() may then dereference stale memory.

xfrm_policy_fini() already flushes policy_hash_work during teardown,
but it does not synchronize policy_hthresh.work.

Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the
queued work cannot outlive the net namespace teardown and access a
freed struct net.
Published: 2026-04-22
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: Use‑after‑free leading to potential privilege escalation or denial of service
Action: Patch Immediately
AI Analysis

Impact

The flaw allows an attacker to trigger an XFRM_MSG_NEWSPDINFO request that queues a net‑namespace work item. If the namespace is torn down before the work executes, the callback dereferences freed memory, which can corrupt kernel data or lead to arbitrary code execution. The effect is a kernel memory corruption that could elevate privileges or cause a crash.

Affected Systems

Vulnerable kernels are any Linux systems that contain the legacy XFRM implementation before the patch was applied. No specific version range is provided, so all kernels that lack the synchronize policy_hthresh.work change are at risk.

Risk and Exploitability

Although no CVSS score is supplied, the existence of a use‑after‑free in the core networking stack indicates high severity. EPSS is not available and the issue is not yet listed in CISA KEV, but the underlying race condition could be exploited remotely if an attacker can invoke malformed XFRM messages. Attackers with network-level access or the ability to send XFRM packets could trigger the fault, leading to privilege escalation or denial of service.

Generated by OpenCVE AI on April 22, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that contains the fix for the XFRM policy hash rebuild race condition.
  • If an update is not immediately possible, restrict the ability of untrusted entities to send XFRM_MSG_NEWSPDINFO messages by tightening network ACLs or employing firewall rules, and limit the use of network namespaces to trusted services.
  • Enforce strict access controls using SELinux or AppArmor profiles to prevent unprivileged processes from interacting with the XFRM subsystem.
  • Monitor kernel event logs (dmesg, /var/log/kern.log) for out‑of‑bounds or oops logs that indicate the use‑after‑free has been triggered, and investigate promptly.

Generated by OpenCVE AI on April 22, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm: prevent policy_hthresh.work from racing with netns teardown A XFRM_MSG_NEWSPDINFO request can queue the per-net work item policy_hthresh.work onto the system workqueue. The queued callback, xfrm_hash_rebuild(), retrieves the enclosing struct net via container_of(). If the net namespace is torn down before that work runs, the associated struct net may already have been freed, and xfrm_hash_rebuild() may then dereference stale memory. xfrm_policy_fini() already flushes policy_hash_work during teardown, but it does not synchronize policy_hthresh.work. Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the queued work cannot outlive the net namespace teardown and access a freed struct net.
Title xfrm: prevent policy_hthresh.work from racing with netns teardown
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-22T13:54:32.851Z

Reserved: 2026-03-09T15:48:24.107Z

Link: CVE-2026-31516

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-22T14:16:51.130

Modified: 2026-04-22T14:16:51.130

Link: CVE-2026-31516

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31516 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:00:07Z

Weaknesses