Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm: hold dev ref until after transport_finish NF_HOOK

After async crypto completes, xfrm_input_resume() calls dev_put()
immediately on re-entry before the skb reaches transport_finish.
The skb->dev pointer is then used inside NF_HOOK and its okfn,
which can race with device teardown.

Remove the dev_put from the async resumption entry and instead
drop the reference after the NF_HOOK call in transport_finish,
using a saved device pointer since NF_HOOK may consume the skb.
This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip
the okfn.

For non-transport exits (decaps, gro, drop) and secondary
async return points, release the reference inline when
async is set.
Published: 2026-04-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Use-After-Free via Race Condition
Action: Apply Patch
AI Analysis

Impact

In the Linux kernel, an asynchronous cryptographic completion path in the XFRM subsystem releases a device reference too early. The skb is returned to the network stack before the device reference count drops, and the skb's dev pointer is accessed inside NF_HOOK and its okfn callbacks. This timing window can race with device teardown, allowing the skb to reference a device that has already been freed, potentially leading to a use‑after‑free fault and kernel crash. The flaw is a classic race condition that can impact the confidentiality, integrity, and availability of the system by allowing a kernel panic or denial of service. Affected systems include all Linux kernel releases that matched the vulnerability. The CPE data indicates versions from 4.15 and all 7.0 release candidates (rc1 through rc7). Any running kernel that has not yet been patched will contain the buggy sequence where dev_put() is called immediately on async resume. The CVSS score of 7.8 indicates a medium‑to‑high severity. EPSS is below 1 %, suggesting that exploitation probability is low, and the vulnerability is currently not listed in CISA’s KEV catalog. Nonetheless, the presence of a race that can lead to a kernel crash means that once discovered, attackers may target vulnerable systems. The likely attack vector involves triggering the async crypto path (for example via IPsec or VPN traffic) while simultaneously tearing down or disrupting the network device. Because this requires interaction with the kernel network stack, the exploit would typically need sufficient privileges or a remote trigger that can generate the offending traffic. Mitigation and remediation steps are summarized below.

Affected Systems

Linux kernels starting from 4.15 and all 7.0 release candidates. Systems running these kernels without the update are vulnerable. Vendor product name: Linux (kernel).

Risk and Exploitability

The CVSS score of 7.8 reflects a moderate to high risk of a kernel crash. The EPSS score of less than 1 % indicates a low probability of immediate exploitation, and the flaw is not yet listed in CISA’s KEV catalog. However, once an attacker discovers a trigger for the async crypto path, the race condition could be used to force a use‑after‑free, resulting in denial of service. The vulnerability can be exploited by sending crafted traffic that causes the async crypto completion, followed by operations that cause the underlying network device to be torn down. The requirement of a race between the crypto completion and device teardown makes the exploit non‑trivial, but the impact remains significant if successful.

Generated by OpenCVE AI on April 28, 2026 at 20:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to the patched release that incorporates the fix for CVE-2026-31663.
  • If an update is not immediately possible, restrict or temporarily disable IPsec or other XFRM-based traffic that would trigger the async crypto path while the vulnerable kernel is running, to reduce exposure to the race condition.
  • Monitor kernel logs for signs of device teardown or async crypto error messages, and plan to schedule a kernel upgrade or apply relevant patches at the earliest opportunity.

Generated by OpenCVE AI on April 28, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:4.15:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-826
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transport_finish NF_HOOK After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside NF_HOOK and its okfn, which can race with device teardown. Remove the dev_put from the async resumption entry and instead drop the reference after the NF_HOOK call in transport_finish, using a saved device pointer since NF_HOOK may consume the skb. This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip the okfn. For non-transport exits (decaps, gro, drop) and secondary async return points, release the reference inline when async is set.
Title xfrm: hold dev ref until after transport_finish NF_HOOK
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:10.803Z

Reserved: 2026-03-09T15:48:24.129Z

Link: CVE-2026-31663

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:45.947

Modified: 2026-04-27T19:59:32.810

Link: CVE-2026-31663

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31663 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:15:26Z

Weaknesses