{"api_version":"1","generated_at":"2026-04-23T11:34:57+00:00","cve":"CVE-2026-31469","urls":{"html":"https://cve.report/CVE-2026-31469","api":"https://cve.report/api/cve/CVE-2026-31469.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31469","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31469"},"summary":{"title":"virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false\n\nA UAF issue occurs when the virtio_net driver is configured with napi_tx=N\nand the device's IFF_XMIT_DST_RELEASE flag is cleared\n(e.g., during the configuration of tc route filter rules).\n\nWhen IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack\nexpects the driver to hold the reference to skb->dst until the packet\nis fully transmitted and freed. In virtio_net with napi_tx=N,\nskbs may remain in the virtio transmit ring for an extended period.\n\nIf the network namespace is destroyed while these skbs are still pending,\nthe corresponding dst_ops structure has freed. When a subsequent packet\nis transmitted, free_old_xmit() is triggered to clean up old skbs.\nIt then calls dst_release() on the skb associated with the stale dst_entry.\nSince the dst_ops (referenced by the dst_entry) has already been freed,\na UAF kernel paging request occurs.\n\nfix it by adds skb_dst_drop(skb) in start_xmit to explicitly release\nthe dst reference before the skb is queued in virtio_net.\n\nCall Trace:\n Unable to handle kernel paging request at virtual address ffff80007e150000\n CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT\n  ...\n  percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)\n  dst_release+0xe0/0x110  net/core/dst.c:177\n  skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177\n  sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255\n  dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469\n  napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527\n  __free_old_xmit+0x164/0x230  drivers/net/virtio_net.c:611 [virtio_net]\n  free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]\n  start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]\n  ...\n\nReproduction Steps:\nNETDEV=\"enp3s0\"\n\nconfig_qdisc_route_filter() {\n    tc qdisc del dev $NETDEV root\n    tc qdisc add dev $NETDEV root handle 1: prio\n    tc filter add dev $NETDEV parent 1:0 \\\n\tprotocol ip prio 100 route to 100 flowid 1:1\n    ip route add 192.168.1.100/32 dev $NETDEV realm 100\n}\n\ntest_ns() {\n    ip netns add testns\n    ip link set $NETDEV netns testns\n    ip netns exec testns ifconfig $NETDEV  10.0.32.46/24\n    ip netns exec testns ping -c 1 10.0.32.1\n    ip netns del testns\n}\n\nconfig_qdisc_route_filter\n\ntest_ns\nsleep 2\ntest_ns","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-22 14:16:43","updated_at":"2026-04-22 14:16:43"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/63d45077b97bb0e0fe0c75931acbbca7a47af141","name":"https://git.kernel.org/stable/c/63d45077b97bb0e0fe0c75931acbbca7a47af141","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f04733c4dc40c43899c3d1c97afbae5831a3770f","name":"https://git.kernel.org/stable/c/f04733c4dc40c43899c3d1c97afbae5831a3770f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9a18629f2525781f0f3dda7be72b204e4cf77d08","name":"https://git.kernel.org/stable/c/9a18629f2525781f0f3dda7be72b204e4cf77d08","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/fedd2e1630cac920844997227ccbe7b26a76375a","name":"https://git.kernel.org/stable/c/fedd2e1630cac920844997227ccbe7b26a76375a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8a4790850e710fd6771e4d2112168ed1dd6c0e54","name":"https://git.kernel.org/stable/c/8a4790850e710fd6771e4d2112168ed1dd6c0e54","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/be0e63f3b97bbaf453c542e8a15ba2a536e2ac01","name":"https://git.kernel.org/stable/c/be0e63f3b97bbaf453c542e8a15ba2a536e2ac01","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c1ec36cb3768574b916f20d2d7415fd14fa1bf12","name":"https://git.kernel.org/stable/c/c1ec36cb3768574b916f20d2d7415fd14fa1bf12","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ba8bda9a0896746053aa97ac6c3e08168729172c","name":"https://git.kernel.org/stable/c/ba8bda9a0896746053aa97ac6c3e08168729172c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31469","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31469","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 be0e63f3b97bbaf453c542e8a15ba2a536e2ac01 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 c1ec36cb3768574b916f20d2d7415fd14fa1bf12 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 8a4790850e710fd6771e4d2112168ed1dd6c0e54 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 fedd2e1630cac920844997227ccbe7b26a76375a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 f04733c4dc40c43899c3d1c97afbae5831a3770f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 9a18629f2525781f0f3dda7be72b204e4cf77d08 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 63d45077b97bb0e0fe0c75931acbbca7a47af141 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f2fc6a54585a1be6669613a31fbaba2ecbadcd36 ba8bda9a0896746053aa97ac6c3e08168729172c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2.6.26","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 2.6.26 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.253 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.203 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.168 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.131 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.80 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.21 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.11 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/virtio_net.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"be0e63f3b97bbaf453c542e8a15ba2a536e2ac01","status":"affected","version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","versionType":"git"},{"lessThan":"c1ec36cb3768574b916f20d2d7415fd14fa1bf12","status":"affected","version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","versionType":"git"},{"lessThan":"8a4790850e710fd6771e4d2112168ed1dd6c0e54","status":"affected","version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","versionType":"git"},{"lessThan":"fedd2e1630cac920844997227ccbe7b26a76375a","status":"affected","version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","versionType":"git"},{"lessThan":"f04733c4dc40c43899c3d1c97afbae5831a3770f","status":"affected","version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","versionType":"git"},{"lessThan":"9a18629f2525781f0f3dda7be72b204e4cf77d08","status":"affected","version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","versionType":"git"},{"lessThan":"63d45077b97bb0e0fe0c75931acbbca7a47af141","status":"affected","version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","versionType":"git"},{"lessThan":"ba8bda9a0896746053aa97ac6c3e08168729172c","status":"affected","version":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/net/virtio_net.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"2.6.26"},{"lessThan":"2.6.26","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.253","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.203","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.168","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.131","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.80","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.21","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.11","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.253","versionStartIncluding":"2.6.26","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.203","versionStartIncluding":"2.6.26","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.168","versionStartIncluding":"2.6.26","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.131","versionStartIncluding":"2.6.26","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.80","versionStartIncluding":"2.6.26","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.21","versionStartIncluding":"2.6.26","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.11","versionStartIncluding":"2.6.26","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"2.6.26","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false\n\nA UAF issue occurs when the virtio_net driver is configured with napi_tx=N\nand the device's IFF_XMIT_DST_RELEASE flag is cleared\n(e.g., during the configuration of tc route filter rules).\n\nWhen IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack\nexpects the driver to hold the reference to skb->dst until the packet\nis fully transmitted and freed. In virtio_net with napi_tx=N,\nskbs may remain in the virtio transmit ring for an extended period.\n\nIf the network namespace is destroyed while these skbs are still pending,\nthe corresponding dst_ops structure has freed. When a subsequent packet\nis transmitted, free_old_xmit() is triggered to clean up old skbs.\nIt then calls dst_release() on the skb associated with the stale dst_entry.\nSince the dst_ops (referenced by the dst_entry) has already been freed,\na UAF kernel paging request occurs.\n\nfix it by adds skb_dst_drop(skb) in start_xmit to explicitly release\nthe dst reference before the skb is queued in virtio_net.\n\nCall Trace:\n Unable to handle kernel paging request at virtual address ffff80007e150000\n CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT\n  ...\n  percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)\n  dst_release+0xe0/0x110  net/core/dst.c:177\n  skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177\n  sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255\n  dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469\n  napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527\n  __free_old_xmit+0x164/0x230  drivers/net/virtio_net.c:611 [virtio_net]\n  free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]\n  start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]\n  ...\n\nReproduction Steps:\nNETDEV=\"enp3s0\"\n\nconfig_qdisc_route_filter() {\n    tc qdisc del dev $NETDEV root\n    tc qdisc add dev $NETDEV root handle 1: prio\n    tc filter add dev $NETDEV parent 1:0 \\\n\tprotocol ip prio 100 route to 100 flowid 1:1\n    ip route add 192.168.1.100/32 dev $NETDEV realm 100\n}\n\ntest_ns() {\n    ip netns add testns\n    ip link set $NETDEV netns testns\n    ip netns exec testns ifconfig $NETDEV  10.0.32.46/24\n    ip netns exec testns ping -c 1 10.0.32.1\n    ip netns del testns\n}\n\nconfig_qdisc_route_filter\n\ntest_ns\nsleep 2\ntest_ns"}],"providerMetadata":{"dateUpdated":"2026-04-22T13:53:58.266Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/be0e63f3b97bbaf453c542e8a15ba2a536e2ac01"},{"url":"https://git.kernel.org/stable/c/c1ec36cb3768574b916f20d2d7415fd14fa1bf12"},{"url":"https://git.kernel.org/stable/c/8a4790850e710fd6771e4d2112168ed1dd6c0e54"},{"url":"https://git.kernel.org/stable/c/fedd2e1630cac920844997227ccbe7b26a76375a"},{"url":"https://git.kernel.org/stable/c/f04733c4dc40c43899c3d1c97afbae5831a3770f"},{"url":"https://git.kernel.org/stable/c/9a18629f2525781f0f3dda7be72b204e4cf77d08"},{"url":"https://git.kernel.org/stable/c/63d45077b97bb0e0fe0c75931acbbca7a47af141"},{"url":"https://git.kernel.org/stable/c/ba8bda9a0896746053aa97ac6c3e08168729172c"}],"title":"virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31469","datePublished":"2026-04-22T13:53:58.266Z","dateReserved":"2026-03-09T15:48:24.097Z","dateUpdated":"2026-04-22T13:53:58.266Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-22 14:16:43","lastModifiedDate":"2026-04-22 14:16:43","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31469","Ordinal":"1","Title":"virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is clea","CVE":"CVE-2026-31469","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31469","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false\n\nA UAF issue occurs when the virtio_net driver is configured with napi_tx=N\nand the device's IFF_XMIT_DST_RELEASE flag is cleared\n(e.g., during the configuration of tc route filter rules).\n\nWhen IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack\nexpects the driver to hold the reference to skb->dst until the packet\nis fully transmitted and freed. In virtio_net with napi_tx=N,\nskbs may remain in the virtio transmit ring for an extended period.\n\nIf the network namespace is destroyed while these skbs are still pending,\nthe corresponding dst_ops structure has freed. When a subsequent packet\nis transmitted, free_old_xmit() is triggered to clean up old skbs.\nIt then calls dst_release() on the skb associated with the stale dst_entry.\nSince the dst_ops (referenced by the dst_entry) has already been freed,\na UAF kernel paging request occurs.\n\nfix it by adds skb_dst_drop(skb) in start_xmit to explicitly release\nthe dst reference before the skb is queued in virtio_net.\n\nCall Trace:\n Unable to handle kernel paging request at virtual address ffff80007e150000\n CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT\n  ...\n  percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)\n  dst_release+0xe0/0x110  net/core/dst.c:177\n  skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177\n  sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255\n  dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469\n  napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527\n  __free_old_xmit+0x164/0x230  drivers/net/virtio_net.c:611 [virtio_net]\n  free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]\n  start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]\n  ...\n\nReproduction Steps:\nNETDEV=\"enp3s0\"\n\nconfig_qdisc_route_filter() {\n    tc qdisc del dev $NETDEV root\n    tc qdisc add dev $NETDEV root handle 1: prio\n    tc filter add dev $NETDEV parent 1:0 \\\n\tprotocol ip prio 100 route to 100 flowid 1:1\n    ip route add 192.168.1.100/32 dev $NETDEV realm 100\n}\n\ntest_ns() {\n    ip netns add testns\n    ip link set $NETDEV netns testns\n    ip netns exec testns ifconfig $NETDEV  10.0.32.46/24\n    ip netns exec testns ping -c 1 10.0.32.1\n    ip netns del testns\n}\n\nconfig_qdisc_route_filter\n\ntest_ns\nsleep 2\ntest_ns","Type":"Description","Title":"virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is clea"}]}}}