{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-22T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false",
    "id" : "2460669",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460669"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-911",
  "details" : [ "A flaw was found in the Linux kernel's virtio_net driver. A local user can trigger a Use-After-Free (UAF) vulnerability by configuring the driver with specific network settings and then destroying the network namespace while data packets are still being transmitted. This premature freeing of network resources, specifically the dst_ops structure, can lead to a kernel paging request, resulting in a system crash and a Denial of Service (DoS)." ],
  "statement" : "Red Hat recognizes the virtio_net interaction between cleared `IFF_XMIT_DST_RELEASE`, `napi_tx=N`, and netns teardown that left stale `dst` references. Upstream drops the dst before queueing SKBs in `start_xmit`. Severity should reflect networking-adjacent UAF with local admin-style netns control; review PR:N if your product exposes unprivileged netns freely.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31469\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31469\nhttps://lore.kernel.org/linux-cve-announce/2026042254-CVE-2026-31469-65d8@gregkh/T" ],
  "name" : "CVE-2026-31469",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the virtio_net module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.",
    "lang" : "en:us"
  },
  "csaw" : false
}