CVE-2026-31516
Received Received - Intake
Use-After-Free in Linux Kernel XFRM Policy Workqueue During Netns Teardown

Publication date: 2026-04-22

Last updated on: 2026-04-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: prevent policy_hthresh.work from racing with netns teardown A XFRM_MSG_NEWSPDINFO request can queue the per-net work item policy_hthresh.work onto the system workqueue. The queued callback, xfrm_hash_rebuild(), retrieves the enclosing struct net via container_of(). If the net namespace is torn down before that work runs, the associated struct net may already have been freed, and xfrm_hash_rebuild() may then dereference stale memory. xfrm_policy_fini() already flushes policy_hash_work during teardown, but it does not synchronize policy_hthresh.work. Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the queued work cannot outlive the net namespace teardown and access a freed struct net.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-28
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31516
EUVD
EUVD-2026-24900
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 3.18
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 3.18.1 (inc) to 6.12.80 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's XFRM subsystem, specifically involving the handling of work items related to network namespaces.

A work item called policy_hthresh.work can be queued onto the system workqueue by a XFRM_MSG_NEWSPDINFO request. This work item eventually calls xfrm_hash_rebuild(), which accesses a network namespace structure (struct net) via container_of().

If the network namespace is torn down before this work item runs, the struct net it tries to access may have already been freed. This leads to a use-after-free condition where xfrm_hash_rebuild() dereferences stale memory, potentially causing undefined behavior or crashes.

The fix involves synchronizing the policy_hthresh.work during network namespace teardown to ensure the work cannot outlive the namespace and access freed memory.


How can this vulnerability impact me? :

This vulnerability can lead to the Linux kernel dereferencing freed memory, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if exploited.

Since it involves race conditions during network namespace teardown, systems using network namespaces extensively (such as containers or virtualized environments) may be more affected.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version where the fix has been applied. The fix involves synchronizing the policy_hthresh.work in xfrm_policy_fini() to prevent queued work from accessing freed memory after net namespace teardown.

Since the vulnerability is related to the Linux kernel's XFRM subsystem, applying the latest kernel patches or upgrading to a patched kernel version is the immediate recommended step.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart