Linux kernel: XFRM policy hash work race with netns teardown
CVE-2026-31516 Published on April 22, 2026
xfrm: prevent policy_hthresh.work from racing with netns teardown
In the Linux kernel, the following vulnerability has been resolved:
xfrm: prevent policy_hthresh.work from racing with netns teardown
A XFRM_MSG_NEWSPDINFO request can queue the per-net work item
policy_hthresh.work onto the system workqueue.
The queued callback, xfrm_hash_rebuild(), retrieves the enclosing
struct net via container_of(). If the net namespace is torn down
before that work runs, the associated struct net may already have
been freed, and xfrm_hash_rebuild() may then dereference stale memory.
xfrm_policy_fini() already flushes policy_hash_work during teardown,
but it does not synchronize policy_hthresh.work.
Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the
queued work cannot outlive the net namespace teardown and access a
freed struct net.
Products Associated with CVE-2026-31516
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 880a6fab8f6ba5b5abe59ea68533202ddea1012c and below 56ea2257b83ee29a543f158159e3d1abc1e3e4fe is affected.
- Version 880a6fab8f6ba5b5abe59ea68533202ddea1012c and below 8854e9367465d784046362698731c1111e3b39b8 is affected.
- Version 880a6fab8f6ba5b5abe59ea68533202ddea1012c and below 4e2e77843fef473ef47e322d52436d8308582a96 is affected.
- Version 880a6fab8f6ba5b5abe59ea68533202ddea1012c and below 29fe3a61bcdce398ee3955101c39f89c01a8a77e is affected.
- Version 3.18 is affected.
- Before 3.18 is unaffected.
- Version 6.12.80, <= 6.12.* is unaffected.
- Version 6.18.21, <= 6.18.* is unaffected.
- Version 6.19.11, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.