{ "threat_severity" : "Moderate", "public_date" : "2026-04-06T00:00:00Z", "bugzilla" : { "description" : "kernel: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()", "id" : "2455332", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2455332" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nxfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()\nAfter cancel_delayed_work_sync() is called from\nxfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining\nstates via __xfrm_state_delete(), which calls\nxfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work.\nThe following is a simple race scenario:\ncpu0 cpu1\ncleanup_net() [Round 1]\nops_undo_list()\nxfrm_net_exit()\nxfrm_nat_keepalive_net_fini()\ncancel_delayed_work_sync(nat_keepalive_work);\nxfrm_state_fini()\nxfrm_state_flush()\nxfrm_state_delete(x)\n__xfrm_state_delete(x)\nxfrm_nat_keepalive_state_updated(x)\nschedule_delayed_work(nat_keepalive_work);\nrcu_barrier();\nnet_complete_free();\nnet_passive_dec(net);\nllist_add(&net->defer_free_list, &defer_free_list);\ncleanup_net() [Round 2]\nrcu_barrier();\nnet_complete_free()\nkmem_cache_free(net_cachep, net);\nnat_keepalive_work()\n// on freed net\nTo prevent this, cancel_delayed_work_sync() is replaced with\ndisable_delayed_work_sync().", "A flaw was found in the Linux kernel, specifically within its xfrm (IP eXtensible FRamework) component. This vulnerability arises from a race condition during network cleanup, where a scheduled task (nat_keepalive_work) can be re-activated and attempt to operate on memory that has already been freed. This 'use-after-free' condition could allow a local attacker to cause the system to crash, leading to a denial of service, or potentially execute unauthorized code." ], "statement" : "After `cancel_delayed_work_sync()` in `xfrm_nat_keepalive_net_fini()`, state deletion could reschedule `nat_keepalive_work` on a net being torn down. Replacing with `disable_delayed_work_sync()` prevents new schedules. Trigger is network namespace teardown with xfrm NAT keepalive in use.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31406\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31406\nhttps://lore.kernel.org/linux-cve-announce/2026040628-CVE-2026-31406-e2f3@gregkh/T" ], "name" : "CVE-2026-31406", "csaw" : false }