IM
IronMonkey Threat Research

CVE-2026-31680 HIGH

Published: 2026-04-25 | Last Modified: 2026-07-14 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection removes it and `fl_free_rcu()` finally tears it down. A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that early `kfree()` and dereference freed option state, triggering a crash in `ip6fl_seq_show()`. Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches the lifetime already required for the enclosing flowlabel while readers can still reach it under RCU.

CVSS Metrics

Base Score: 7.8 (HIGH)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorLOCAL
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH

Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Type: Secondary

Exploitability Score: 1.8

Impact Score: 5.9

Weaknesses

Source Type Description
[email protected] Primary
en NVD-CWE-noinfo

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702b4032b840> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdcf6a7c0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bddf50400> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b4032b7c0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b40328040> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b40329200> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bddf52840> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bdcf68440> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702b40328500> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702b40329000> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bddf539c0> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bddf53440> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bddf51800> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

References

Notification
Message here