Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-04-25T00:00:00 kernel: net: ipv6: flowlabel: defer exclusive option free until RCU teardown 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CWE-825

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection removes it and `fl_free_rcu()` finally tears it down. A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that early `kfree()` and dereference freed option state, triggering a crash in `ip6fl_seq_show()`. Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches the lifetime already required for the enclosing flowlabel while readers can still reach it under RCU.

A flaw was found in the Linux kernel. A local user can exploit a race condition in the IPv6 flow label handling, specifically during the teardown of exclusive flow label options. This can lead to a use-after-free vulnerability when a concurrent reader accesses freed option state, triggering a system crash and a Denial of Service (DoS).

IPv6 flowlabel exclusive options were freed too early vs RCU readers; upstream defers free to teardown. Red Hat notes this is a local netns/flowlabel UAF race. Red Hat Enterprise Linux 10 Fix deferred kernel Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Fix deferred kernel Red Hat Enterprise Linux 7 Fix deferred kernel-rt Red Hat Enterprise Linux 8 Fix deferred kernel Red Hat Enterprise Linux 8 Fix deferred kernel-rt Red Hat Enterprise Linux 9 Fix deferred kernel Red Hat Enterprise Linux 9 Fix deferred kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-31680 https://nvd.nist.gov/vuln/detail/CVE-2026-31680 https://lore.kernel.org/linux-cve-announce/2026042544-CVE-2026-31680-7624@gregkh/T