virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false
Summary
| CVE | CVE-2026-31469 |
|---|
| State | PUBLISHED |
|---|
| Assigner | Linux |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2026-04-22 14:16:43 UTC |
|---|
| Updated | 2026-04-22 14:16:43 UTC |
|---|
| Description | In the Linux kernel, the following vulnerability has been resolved:
virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false
A UAF issue occurs when the virtio_net driver is configured with napi_tx=N
and the device's IFF_XMIT_DST_RELEASE flag is cleared
(e.g., during the configuration of tc route filter rules).
When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack
expects the driver to hold the reference to skb->dst until the packet
is fully transmitted and freed. In virtio_net with napi_tx=N,
skbs may remain in the virtio transmit ring for an extended period.
If the network namespace is destroyed while these skbs are still pending,
the corresponding dst_ops structure has freed. When a subsequent packet
is transmitted, free_old_xmit() is triggered to clean up old skbs.
It then calls dst_release() on the skb associated with the stale dst_entry.
Since the dst_ops (referenced by the dst_entry) has already been freed,
a UAF kernel paging request occurs.
fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release
the dst reference before the skb is queued in virtio_net.
Call Trace:
Unable to handle kernel paging request at virtual address ffff80007e150000
CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT
...
percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)
dst_release+0xe0/0x110 net/core/dst.c:177
skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177
sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255
dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469
napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527
__free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net]
free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]
start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]
...
Reproduction Steps:
NETDEV="enp3s0"
config_qdisc_route_filter() {
tc qdisc del dev $NETDEV root
tc qdisc add dev $NETDEV root handle 1: prio
tc filter add dev $NETDEV parent 1:0 \
protocol ip prio 100 route to 100 flowid 1:1
ip route add 192.168.1.100/32 dev $NETDEV realm 100
}
test_ns() {
ip netns add testns
ip link set $NETDEV netns testns
ip netns exec testns ifconfig $NETDEV 10.0.32.46/24
ip netns exec testns ping -c 1 10.0.32.1
ip netns del testns
}
config_qdisc_route_filter
test_ns
sleep 2
test_ns |
|---|
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|
| CNA |
Linux |
Linux |
affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 be0e63f3b97bbaf453c542e8a15ba2a536e2ac01 git |
Not specified |
| CNA |
Linux |
Linux |
affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 c1ec36cb3768574b916f20d2d7415fd14fa1bf12 git |
Not specified |
| CNA |
Linux |
Linux |
affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 8a4790850e710fd6771e4d2112168ed1dd6c0e54 git |
Not specified |
| CNA |
Linux |
Linux |
affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 fedd2e1630cac920844997227ccbe7b26a76375a git |
Not specified |
| CNA |
Linux |
Linux |
affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 f04733c4dc40c43899c3d1c97afbae5831a3770f git |
Not specified |
| CNA |
Linux |
Linux |
affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 9a18629f2525781f0f3dda7be72b204e4cf77d08 git |
Not specified |
| CNA |
Linux |
Linux |
affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 63d45077b97bb0e0fe0c75931acbbca7a47af141 git |
Not specified |
| CNA |
Linux |
Linux |
affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 ba8bda9a0896746053aa97ac6c3e08168729172c git |
Not specified |
| CNA |
Linux |
Linux |
affected 2.6.26 |
Not specified |
| CNA |
Linux |
Linux |
unaffected 2.6.26 semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 5.10.253 5.10.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 5.15.203 5.15.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.1.168 6.1.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.6.131 6.6.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.12.80 6.12.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.18.21 6.18.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.19.11 6.19.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 7.0 * original_commit_for_fix |
Not specified |
References
| Reference | Source | Link | Tags |
|---|
| git.kernel.org/stable/c/63d45077b97bb0e0fe0c75931acbbca7a47af141 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/f04733c4dc40c43899c3d1c97afbae5831a3770f |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/9a18629f2525781f0f3dda7be72b204e4cf77d08 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/fedd2e1630cac920844997227ccbe7b26a76375a |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/8a4790850e710fd6771e4d2112168ed1dd6c0e54 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/be0e63f3b97bbaf453c542e8a15ba2a536e2ac01 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/c1ec36cb3768574b916f20d2d7415fd14fa1bf12 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/ba8bda9a0896746053aa97ac6c3e08168729172c |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.
