Description
In the Linux kernel, the following vulnerability has been resolved:

net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()

In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points
directly into the mmap'd TX ring buffer shared with userspace. The
kernel validates the header via __packet_snd_vnet_parse() but then
re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent
userspace thread can modify the vnet_hdr fields between validation
and use, bypassing all safety checks.

The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr
to a stack-local variable. All other vnet_hdr consumers in the kernel
(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX
path is the only caller of virtio_net_hdr_to_skb() that reads directly
from user-controlled shared memory.

Fix this by copying vnet_hdr from the mmap'd ring buffer to a
stack-local variable before validation and use, consistent with the
approach used in packet_snd() and all other callers.
Published: 2026-05-01
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel implements a packet transmission path that allows user‑space applications to map a transmit ring buffer into their address space. When the PACKET_VNET_HDR feature is active, the kernel copies the virtio net header directly from this shared memory. The code first validates the header, then later re‑reads the fields when converting the packet data to a socket buffer. A concurrent user thread can modify the header between these two steps, bypassing the validation and potentially injecting crafted data or corrupting the packet format. This TOCTOU race could result in malformed packets, loss of data integrity, or other unintended kernel behavior.

Affected Systems

All Linux kernel releases that incorporate the tpacket_snd() implementation prior to the commit that copies the vnet_hdr to a stack‑local variable. The issue is present when the PACKET_VNET_HDR option is enabled in TPACKET transmit mode.

Risk and Exploitability

The EPSS score for this vulnerability is not available and it is not listed in CISA’s KEV catalog, indicating the attack surface and exploitation likelihood are not well documented at this time. The CVSS score is 7.0, reflecting a moderate to high severity. Because the flaw involves a race condition on shared memory exposed to user space, it is inherently local to the system with the affected kernel; however, any user with write access to the mapped buffer could attempt the race. No specific exploit is known, but the mechanism allows subverted packet headers to bypass kernel checks.

Generated by OpenCVE AI on May 2, 2026 at 10:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the commit fixing the race condition (e.g., a kernel newer than the one that contains commit 28324a3b62d9ce7f9bdd65a8ce63f382041d1b27).
  • If a newer kernel cannot be used, manually apply the patch that copies vnet_hdr from the mapped ring buffer to a stack‑local variable and rebuild the kernel module.
  • Until a patch is applied, disable the PACKET_VNET_HDR feature or avoid using TPACKET devices that expose the vnet_hdr to user space.

Generated by OpenCVE AI on May 2, 2026 at 10:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel validates the header via __packet_snd_vnet_parse() but then re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent userspace thread can modify the vnet_hdr fields between validation and use, bypassing all safety checks. The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr to a stack-local variable. All other vnet_hdr consumers in the kernel (tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX path is the only caller of virtio_net_hdr_to_skb() that reads directly from user-controlled shared memory. Fix this by copying vnet_hdr from the mmap'd ring buffer to a stack-local variable before validation and use, consistent with the approach used in packet_snd() and all other callers.
Title net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T13:56:00.205Z

Reserved: 2026-03-09T15:48:24.132Z

Link: CVE-2026-31700

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:19.907

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31700

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31700 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T21:45:09Z

Weaknesses