Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm: prevent policy_hthresh.work from racing with netns teardown

A XFRM_MSG_NEWSPDINFO request can queue the per-net work item
policy_hthresh.work onto the system workqueue.

The queued callback, xfrm_hash_rebuild(), retrieves the enclosing
struct net via container_of(). If the net namespace is torn down
before that work runs, the associated struct net may already have
been freed, and xfrm_hash_rebuild() may then dereference stale memory.

xfrm_policy_fini() already flushes policy_hash_work during teardown,
but it does not synchronize policy_hthresh.work.

Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the
queued work cannot outlive the net namespace teardown and access a
freed struct net.
Published: 2026-04-22
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑after‑free leading to potential privilege escalation or denial of service
Action: Patch Immediately
AI Analysis

Impact

The flaw is a race condition (CWE‑362) that allows an attacker to trigger an XFRM_MSG_NEWSPDINFO request that queues a net‑namespace work item. If the namespace is torn down before the work executes, the callback dereferences freed memory, which can corrupt kernel data or lead to arbitrary code execution. The effect is a kernel memory corruption that could elevate privileges or cause a crash. This vulnerability is also characterized as a use‑after‑free (CWE‑364).

Affected Systems

Vulnerable kernels are any Linux systems that contain the legacy XFRM implementation before the patch was applied. No specific version range is provided, so all kernels that lack the synchronize policy_hthresh.work change are at risk.

Risk and Exploitability

The CVSS score is 7.8, indicating high severity. The EPSS score of < 1% suggests a low likelihood of exploitation, and the vulnerability is not yet listed in CISA KEV. Attackers with the ability to send malicious XFRM messages or gain network-level access could trigger the race condition, potentially leading to privilege escalation or denial of service.

Generated by OpenCVE AI on April 28, 2026 at 20:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that contains the fix for the XFRM policy hash rebuild race condition.
  • If an update is not immediately possible, restrict the ability of untrusted entities to send XFRM_MSG_NEWSPDINFO messages by tightening network ACLs or employing firewall rules, and limit the use of network namespaces to trusted services.
  • Enforce strict access controls using SELinux or AppArmor profiles to prevent unprivileged processes from interacting with the XFRM subsystem.
  • Monitor kernel event logs (dmesg, /var/log/kern.log) for out‑of‑bounds or oops logs that indicate the use‑after‑free has been triggered, and investigate promptly.

Generated by OpenCVE AI on April 28, 2026 at 20:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Tue, 28 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CPEs cpe:2.3:o:linux:linux_kernel:3.18:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Tue, 28 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm: prevent policy_hthresh.work from racing with netns teardown A XFRM_MSG_NEWSPDINFO request can queue the per-net work item policy_hthresh.work onto the system workqueue. The queued callback, xfrm_hash_rebuild(), retrieves the enclosing struct net via container_of(). If the net namespace is torn down before that work runs, the associated struct net may already have been freed, and xfrm_hash_rebuild() may then dereference stale memory. xfrm_policy_fini() already flushes policy_hash_work during teardown, but it does not synchronize policy_hthresh.work. Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the queued work cannot outlive the net namespace teardown and access a freed struct net.
Title xfrm: prevent policy_hthresh.work from racing with netns teardown
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:10:18.477Z

Reserved: 2026-03-09T15:48:24.107Z

Link: CVE-2026-31516

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:51.130

Modified: 2026-04-28T16:30:40.667

Link: CVE-2026-31516

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31516 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:00:14Z

Weaknesses