CVE-2026-31429
Received Received - Intake
Cross-Cache Free Vulnerability in Linux Kernel skb Handling

Publication date: 2026-04-20

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: skb: fix cross-cache free of KFENCE-allocated skb head SKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2 value (e.g. 704 on x86_64) to avoid collisions with generic kmalloc bucket sizes. This ensures that skb_kfree_head() can reliably use skb_end_offset to distinguish skb heads allocated from skb_small_head_cache vs. generic kmalloc caches. However, when KFENCE is enabled, kfence_ksize() returns the exact requested allocation size instead of the slab bucket size. If a caller (e.g. bpf_test_init) allocates skb head data via kzalloc() and the requested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then slab_build_skb() -> ksize() returns that exact value. After subtracting skb_shared_info overhead, skb_end_offset ends up matching SKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free the object to skb_small_head_cache instead of back to the original kmalloc cache, resulting in a slab cross-cache free: kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected skbuff_small_head but got kmalloc-1k Fix this by always calling kfree(head) in skb_kfree_head(). This keeps the free path generic and avoids allocator-specific misclassification for KFENCE objects.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31429
EUVD
EUVD-2026-23816
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's network stack related to the handling of socket buffer (skb) head allocations when KFENCE is enabled. Normally, skb heads are allocated from a special cache (skb_small_head_cache) with a specific size to avoid collisions with generic memory allocations. However, when KFENCE is enabled, the allocation size returned does not match the expected slab bucket size, causing the system to misclassify the memory cache during free operations.

Specifically, if an skb head is allocated with a size equal to SKB_SMALL_HEAD_CACHE_SIZE via kzalloc(), the function skb_kfree_head() may incorrectly free the memory to the wrong cache, leading to a cross-cache free error. This happens because the size calculations cause skb_kfree_head() to misidentify the origin of the allocation.

The fix involves always calling the generic kfree() function in skb_kfree_head() to avoid allocator-specific misclassification and prevent freeing memory to the wrong slab cache.


How can this vulnerability impact me? :

This vulnerability can lead to incorrect memory management in the Linux kernel's networking code, specifically causing cross-cache frees. Such memory mismanagement can result in system instability, crashes, or potential memory corruption.

While the description does not explicitly mention exploitation scenarios, improper freeing of memory can sometimes be leveraged by attackers to cause denial of service or potentially execute arbitrary code, depending on the context and other system protections.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by ensuring that skb_kfree_head() always calls kfree(head), which avoids incorrect freeing of skb heads allocated with KFENCE.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart