{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31516", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.107Z", "datePublished": "2026-04-22T13:54:32.851Z", "dateUpdated": "2026-04-22T13:54:32.851Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:54:32.851Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: prevent policy_hthresh.work from racing with netns teardown\n\nA XFRM_MSG_NEWSPDINFO request can queue the per-net work item\npolicy_hthresh.work onto the system workqueue.\n\nThe queued callback, xfrm_hash_rebuild(), retrieves the enclosing\nstruct net via container_of(). If the net namespace is torn down\nbefore that work runs, the associated struct net may already have\nbeen freed, and xfrm_hash_rebuild() may then dereference stale memory.\n\nxfrm_policy_fini() already flushes policy_hash_work during teardown,\nbut it does not synchronize policy_hthresh.work.\n\nSynchronize policy_hthresh.work in xfrm_policy_fini() as well, so the\nqueued work cannot outlive the net namespace teardown and access a\nfreed struct net."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xfrm/xfrm_policy.c"], "versions": [{"version": "880a6fab8f6ba5b5abe59ea68533202ddea1012c", "lessThan": "56ea2257b83ee29a543f158159e3d1abc1e3e4fe", "status": "affected", "versionType": "git"}, {"version": "880a6fab8f6ba5b5abe59ea68533202ddea1012c", "lessThan": "8854e9367465d784046362698731c1111e3b39b8", "status": "affected", "versionType": "git"}, {"version": "880a6fab8f6ba5b5abe59ea68533202ddea1012c", "lessThan": "4e2e77843fef473ef47e322d52436d8308582a96", "status": "affected", "versionType": "git"}, {"version": "880a6fab8f6ba5b5abe59ea68533202ddea1012c", "lessThan": "29fe3a61bcdce398ee3955101c39f89c01a8a77e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xfrm/xfrm_policy.c"], "versions": [{"version": "3.18", "status": "affected"}, {"version": "0", "lessThan": "3.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/56ea2257b83ee29a543f158159e3d1abc1e3e4fe"}, {"url": "https://git.kernel.org/stable/c/8854e9367465d784046362698731c1111e3b39b8"}, {"url": "https://git.kernel.org/stable/c/4e2e77843fef473ef47e322d52436d8308582a96"}, {"url": "https://git.kernel.org/stable/c/29fe3a61bcdce398ee3955101c39f89c01a8a77e"}], "title": "xfrm: prevent policy_hthresh.work from racing with netns teardown", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: prevent policy_hthresh.work from racing with netns teardown\n\nA XFRM_MSG_NEWSPDINFO request can queue the per-net work item\npolicy_hthresh.work onto the system workqueue.\n\nThe queued callback, xfrm_hash_rebuild(), retrieves the enclosing\nstruct net via container_of(). If the net namespace is torn down\nbefore that work runs, the associated struct net may already have\nbeen freed, and xfrm_hash_rebuild() may then dereference stale memory.\n\nxfrm_policy_fini() already flushes policy_hash_work during teardown,\nbut it does not synchronize policy_hthresh.work.\n\nSynchronize policy_hthresh.work in xfrm_policy_fini() as well, so the\nqueued work cannot outlive the net namespace teardown and access a\nfreed struct net."}], "id": "CVE-2026-31516", "lastModified": "2026-04-22T14:16:51.130", "metrics": {}, "published": "2026-04-22T14:16:51.130", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/29fe3a61bcdce398ee3955101c39f89c01a8a77e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4e2e77843fef473ef47e322d52436d8308582a96"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/56ea2257b83ee29a543f158159e3d1abc1e3e4fe"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8854e9367465d784046362698731c1111e3b39b8"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: xfrm: prevent policy_hthresh.work from racing with netns teardown", "id": "2460720", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460720"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-364", "details": ["A flaw was found in the Linux kernel's XFRM (IP eXtensible FRamework) subsystem. A race condition can occur during the teardown of a network namespace, where a work item attempts to access memory that has already been freed. This can lead to a use-after-free vulnerability, potentially causing system instability or denial of service."], "name": "CVE-2026-31516", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31516\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31516\nhttps://lore.kernel.org/linux-cve-announce/2026042210-CVE-2026-31516-59d8@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[880a6fab8f6ba5b5abe59ea68533202ddea1012c,56ea2257b83ee29a543f158159e3d1abc1e3e4fe)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[880a6fab8f6ba5b5abe59ea68533202ddea1012c,8854e9367465d784046362698731c1111e3b39b8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[880a6fab8f6ba5b5abe59ea68533202ddea1012c,4e2e77843fef473ef47e322d52436d8308582a96)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[880a6fab8f6ba5b5abe59ea68533202ddea1012c,29fe3a61bcdce398ee3955101c39f89c01a8a77e)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.18,3.18]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T18:38:26.623385+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that contains the fix for the XFRM policy hash rebuild race condition.", "If an update is not immediately possible, restrict the ability of untrusted entities to send XFRM_MSG_NEWSPDINFO messages by tightening network ACLs or employing firewall rules, and limit the use of network namespaces to trusted services.", "Enforce strict access controls using SELinux or AppArmor profiles to prevent unprivileged processes from interacting with the XFRM subsystem.", "Monitor kernel event logs (dmesg, /var/log/kern.log) for out\u2011of\u2011bounds or oops logs that indicate the use\u2011after\u2011free has been triggered, and investigate promptly."], "summary": {"action": "Patch Immediately", "impact": "Use\u2011after\u2011free leading to potential privilege escalation or denial of service"}, "threat_synthesis": {"affected_systems": "Vulnerable kernels are any Linux systems that contain the legacy XFRM implementation before the patch was applied. No specific version range is provided, so all kernels that lack the synchronize policy_hthresh.work change are at risk.", "description_and_impact": "The flaw allows an attacker to trigger an XFRM_MSG_NEWSPDINFO request that queues a net\u2011namespace work item. If the namespace is torn down before the work executes, the callback dereferences freed memory, which can corrupt kernel data or lead to arbitrary code execution. The effect is a kernel memory corruption that could elevate privileges or cause a crash.", "risk_and_exploitability": "Although no CVSS score is supplied, the existence of a use\u2011after\u2011free in the core networking stack indicates high severity. EPSS is not available and the issue is not yet listed in CISA KEV, but the underlying race condition could be exploited remotely if an attacker can invoke malformed XFRM messages. Attackers with network-level access or the ability to send XFRM packets could trigger the fault, leading to privilege escalation or denial of service."}}}}, "created": "2026-04-22T18:45:24.009669+00:00", "updated": "2026-04-22T19:00:07.812224+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}