Linux Kernel Fanout UAF via NETDEV_UP Race: CVE-2026-31504 April 2026

Linux Kernel Fanout UAF via NETDEV_UP Race
CVE-2026-31504 Published on April 22, 2026

net: fix fanout UAF in packet_release() via NETDEV_UP race
In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.

Products Associated with CVE-2026-31504

Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.

Affected Versions

Version ce06b03e60fc19c680d1bf873e779bf11c2fc518 and below ee642b1962caa9aa231c01abbd58bc453ae6b66e is affected.

Version ce06b03e60fc19c680d1bf873e779bf11c2fc518 and below 42cfd7898eeed290c9fb73f732af1f7d6b0a703e is affected.

Version ce06b03e60fc19c680d1bf873e779bf11c2fc518 and below 1b4c03f8892d955385c202009af7485364731bb9 is affected.

Version ce06b03e60fc19c680d1bf873e779bf11c2fc518 and below 654386baef228c2992dbf604c819e4c7c35fc71b is affected.

Version ce06b03e60fc19c680d1bf873e779bf11c2fc518 and below 75fe6db23705a1d55160081f7b37db9665b1880b is affected.

Version ce06b03e60fc19c680d1bf873e779bf11c2fc518 and below d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6 is affected.

Version ce06b03e60fc19c680d1bf873e779bf11c2fc518 and below ceccbfc6de720ad633519a226715989cfb065af1 is affected.

Version ce06b03e60fc19c680d1bf873e779bf11c2fc518 and below 42156f93d123436f2a27c468f18c966b7e5db796 is affected.

Version 3.1 is affected.

Before 3.1 is unaffected.

Version 5.10.253, <= 5.10.* is unaffected.

Version 5.15.203, <= 5.15.* is unaffected.

Version 6.1.168, <= 6.1.* is unaffected.

Version 6.6.131, <= 6.6.* is unaffected.

Version 6.12.80, <= 6.12.* is unaffected.

Version 6.18.21, <= 6.18.* is unaffected.

Version 6.19.11, <= 6.19.* is unaffected.

Version 7.0, <= * is unaffected.

Linux Kernel Fanout UAF via NETDEV_UP RaceCVE-2026-31504 Published on April 22, 2026

Products Associated with CVE-2026-31504

Affected Versions

Linux Kernel Fanout UAF via NETDEV_UP Race
CVE-2026-31504 Published on April 22, 2026