CVE-2026-31406
Received Received - Intake
Race Condition in Linux Kernel xfrm_nat_keepalive Causes Use-After-Free

Publication date: 2026-04-06

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() After cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work. The following is a simple race scenario: cpu0 cpu1 cleanup_net() [Round 1] ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fini() cancel_delayed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_state_flush() xfrm_state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_state_updated(x) schedule_delayed_work(nat_keepalive_work); rcu_barrier(); net_complete_free(); net_passive_dec(net); llist_add(&net->defer_free_list, &defer_free_list); cleanup_net() [Round 2] rcu_barrier(); net_complete_free() kmem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-06
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31406
EUVD
EUVD-2026-19198
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's xfrm subsystem related to network state cleanup and delayed work scheduling.

During the cleanup process of network resources, a race condition occurs where a delayed work task (nat_keepalive_work) is canceled and then rescheduled after the associated network state has been freed.

Specifically, after cancel_delayed_work_sync() is called to cancel the delayed work, the system flushes remaining states and then inadvertently reschedules the delayed work. This can lead to the delayed work running on a freed network structure, causing potential use-after-free issues.

The fix replaces cancel_delayed_work_sync() with disable_delayed_work_sync() to prevent the rescheduling of the delayed work after cancellation, thus avoiding the race condition.


How can this vulnerability impact me? :

This vulnerability can lead to a race condition where delayed work is executed on freed network resources.

Such a scenario can cause use-after-free errors, which may result in system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by replacing cancel_delayed_work_sync() with disable_delayed_work_sync() in the affected Linux kernel code. Therefore, the immediate mitigation step is to update your Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart