Linux kernel: race in xfrm_input_resume causes device teardown
CVE-2026-31663 Published on April 24, 2026
xfrm: hold dev ref until after transport_finish NF_HOOK
In the Linux kernel, the following vulnerability has been resolved:
xfrm: hold dev ref until after transport_finish NF_HOOK
After async crypto completes, xfrm_input_resume() calls dev_put()
immediately on re-entry before the skb reaches transport_finish.
The skb->dev pointer is then used inside NF_HOOK and its okfn,
which can race with device teardown.
Remove the dev_put from the async resumption entry and instead
drop the reference after the NF_HOOK call in transport_finish,
using a saved device pointer since NF_HOOK may consume the skb.
This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip
the okfn.
For non-transport exits (decaps, gro, drop) and secondary
async return points, release the reference inline when
async is set.
Products Associated with CVE-2026-31663
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version acf568ee859f098279eadf551612f103afdacb4e and below 0f451b43c88bf2b9c038b414be580efee42e031b is affected.
- Version acf568ee859f098279eadf551612f103afdacb4e and below 5002beda5cac69d522dc54da0d5d463ed9c963d2 is affected.
- Version acf568ee859f098279eadf551612f103afdacb4e and below 1c428b03840094410c5fb6a5db30640486bbbfcb is affected.
- Version 69895c5ea0ca2e8d7de1e6d36965d0ab9730787f is affected.
- Version 833760100588acfb267dac4d6a02ab9931237739 is affected.
- Version e095ecaec6d94aa2156cceb98a85d409b51190f3 is affected.
- Version 4.15 is affected.
- Before 4.15 is unaffected.
- Version 6.18.23, <= 6.18.* is unaffected.
- Version 6.19.13, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.