Description
In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: flowlabel: defer exclusive option free until RCU teardown

`ip6fl_seq_show()` walks the global flowlabel hash under the seq-file
RCU read-side lock and prints `fl->opt->opt_nflen` when an option block
is present.

Exclusive flowlabels currently free `fl->opt` as soon as `fl->users`
drops to zero in `fl_release()`. However, the surrounding
`struct ip6_flowlabel` remains visible in the global hash table until
later garbage collection removes it and `fl_free_rcu()` finally tears it
down.

A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that
early `kfree()` and dereference freed option state, triggering a crash
in `ip6fl_seq_show()`.

Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches
the lifetime already required for the enclosing flowlabel while readers
can still reach it under RCU.
Published: 2026-04-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ip6fl_seq_show() reads the global IPv6 flowlabel hash while holding an RCU read lock and prints the length of an attached option if present. The flowlabel implementation frees the option object as soon as its user count drops to zero, but the surrounding flowlabel structure remains in the hash table until later garbage collection. A reader of /proc/net/ip6_flowlabel can therefore race the early kfree() and dereference freed memory, causing a kernel crash. This is a classic use‑after‑free leading to a denial of service. The flaw is identified as CWE‑825.

Affected Systems

The issue exists in all Linux kernel releases prior to the merge of the commit that delays freeing the flowlabel option until the RCU teardown. The affected kernel versions are therefore all current running kernels that have not yet applied the patch, regardless of the specific release number. The CPE list confirms coverage of all Linux kernel product variants.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity for a denial of service. The EPSS score of less than 1% shows a very low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector can be inferred to be local, requiring read access to /proc/net/ip6_flowlabel, which may be world-readable on some systems. An attacker can trigger the race by concurrently accessing that file, leading to a kernel panic or system reboot.

Generated by OpenCVE AI on May 6, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that contains the fix for the flowlabel option deallocation bug.
  • Reboot the system after the kernel upgrade to clear outstanding RCU structures and ensure the patched code is active.
  • If an immediate kernel upgrade is not feasible, restrict read permissions on /proc/net/ip6_flowlabel (e.g., chmod 600) or disable the flowlabel feature if it is not required to prevent the race condition from being triggered.

Generated by OpenCVE AI on May 6, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 06 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 25 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection removes it and `fl_free_rcu()` finally tears it down. A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that early `kfree()` and dereference freed option state, triggering a crash in `ip6fl_seq_show()`. Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches the lifetime already required for the enclosing flowlabel while readers can still reach it under RCU.
Title net: ipv6: flowlabel: defer exclusive option free until RCU teardown
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:33.813Z

Reserved: 2026-03-09T15:48:24.130Z

Link: CVE-2026-31680

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-25T09:16:01.673

Modified: 2026-05-06T21:23:31.950

Link: CVE-2026-31680

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-25T00:00:00Z

Links: CVE-2026-31680 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:00:15Z

Weaknesses