Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-01T00:00:00 kernel: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CWE-367

In the Linux kernel, the following vulnerability has been resolved: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel validates the header via __packet_snd_vnet_parse() but then re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent userspace thread can modify the vnet_hdr fields between validation and use, bypassing all safety checks. The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr to a stack-local variable. All other vnet_hdr consumers in the kernel (tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX path is the only caller of virtio_net_hdr_to_skb() that reads directly from user-controlled shared memory. Fix this by copying vnet_hdr from the mmap'd ring buffer to a stack-local variable before validation and use, consistent with the approach used in packet_snd() and all other callers.

A flaw was found in the Linux kernel. A Time-of-check to Time-of-use (TOCTOU) race condition exists in the `tpacket_snd()` function when `PACKET_VNET_HDR` is enabled. A local user can exploit this by modifying the `vnet_hdr` fields in the mmap'd TX ring buffer between validation and use, thereby bypassing safety checks. This could allow a local attacker to achieve a security bypass.

A TOCTOU existed between mmap'd `vnet_hdr` and `tpacket_snd()` for AF_PACKET TX. Red Hat advises patched kernels for workloads using packet mmap/TPACKET; unloading `af_packet` is a coarse mitigation where policy allows. To mitigate this issue, prevent the af_packet module from being loaded. See https://access.redhat.com/solutions/41278 for instructions. Red Hat Enterprise Linux 10 Affected kernel Red Hat Enterprise Linux 6 Out of support scope kernel Red Hat Enterprise Linux 7 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel-rt Red Hat Enterprise Linux 8 Affected kernel Red Hat Enterprise Linux 8 Affected kernel-rt Red Hat Enterprise Linux 9 Affected kernel Red Hat Enterprise Linux 9 Affected kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-31700 https://nvd.nist.gov/vuln/detail/CVE-2026-31700 https://lore.kernel.org/linux-cve-announce/2026050119-CVE-2026-31700-c820@gregkh/T