CVE-2026-31469
Use-After-Free Vulnerability in Linux virtio_net Driver Causes Kernel Crash
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux_kernel | linux_kernel | 7.0.0-rc1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Use-After-Free (UAF) issue in the Linux kernel's virtio_net driver. It occurs when the driver is configured with napi_tx set to false and the device's IFF_XMIT_DST_RELEASE flag is cleared. Under these conditions, the network stack expects the driver to hold a reference to the packet's destination (skb->dst) until the packet is fully transmitted and freed.
However, with napi_tx disabled, packets (skbs) may remain in the transmit ring for a long time. If the network namespace is destroyed while these packets are still pending, the associated destination operations structure (dst_ops) is freed. Later, when the driver tries to release old packets, it calls a function that accesses this already freed dst_ops, causing a kernel paging request on freed memory, which is a UAF error.
The fix involves explicitly releasing the destination reference before queuing the packet in virtio_net, preventing the use of freed memory.
How can this vulnerability impact me? :
This vulnerability can lead to a kernel crash or system instability due to the use of freed memory in the kernel's networking code. Such crashes can cause denial of service (DoS) conditions on affected systems.
In environments using the virtio_net driver with the specific configuration (napi_tx disabled and IFF_XMIT_DST_RELEASE flag cleared), an attacker or misconfiguration could trigger this issue, potentially disrupting network functionality or causing unexpected system behavior.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reproducing the conditions that trigger the use-after-free (UAF) issue in the virtio_net driver. The provided reproduction steps involve configuring a traffic control (tc) route filter and manipulating network namespaces to observe the fault.
- Use the following commands to configure the qdisc route filter on the network device (replace enp3s0 with your device name):
- tc qdisc del dev enp3s0 root
- tc qdisc add dev enp3s0 root handle 1: prio
- tc filter add dev enp3s0 parent 1:0 protocol ip prio 100 route to 100 flowid 1:1
- ip route add 192.168.1.100/32 dev enp3s0 realm 100
Then, create and delete a network namespace while moving the device into it and sending traffic to trigger the issue:
- ip netns add testns
- ip link set enp3s0 netns testns
- ip netns exec testns ifconfig enp3s0 10.0.32.46/24
- ip netns exec testns ping -c 1 10.0.32.1
- ip netns del testns
Repeating the namespace creation and deletion with a short delay may help detect the vulnerability by causing a kernel paging request error if the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by adding a call to skb_dst_drop(skb) in the start_xmit function of the virtio_net driver to explicitly release the dst reference before the skb is queued. Immediate mitigation steps include:
- Update the Linux kernel to a version that includes the fix for this vulnerability (e.g., version 7.0.0-rc1+ #6 PREEMPT or later where the patch is applied).
- Avoid configurations that clear the IFF_XMIT_DST_RELEASE flag on virtio_net devices while napi_tx is disabled (napi_tx=N), such as certain tc route filter rules.
- If possible, enable napi_tx to avoid the conditions that lead to the use-after-free.
These steps help prevent the use-after-free condition and the resulting kernel paging request error.