CVE-2026-31429 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators running affected kernel versions—especially systems that enable KFENCE, use BPF/test workloads, or otherwise exercise skb head allocation and free paths.

Technical summary

The kernel intentionally uses a non-power-of-two SKB_SMALL_HEAD_CACHE_SIZE so skb_kfree_head() can distinguish small-head cache allocations from generic kmalloc allocations via skb_end_offset. With KFENCE enabled, kfence_ksize() returns the exact requested size rather than the slab bucket size. If code such as bpf_test_init allocates skb head data with kzalloc() and the requested size matches SKB_SMALL_HEAD_CACHE_SIZE, slab_build_skb() sees a size that makes skb_end_offset match SKB_SMALL_HEAD_HEADROOM. skb_kfree_head() can then free the object to skb_small_head_cache instead of returning it to the original kmalloc cache, producing a wrong-slab-cache free. The reported symptom in the source corpus is: "kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected skbuff_small_head but got kmalloc-1k". The patch changes skb_kfree_head() to call kfree(head) unconditionally.

Defensive priority

Medium. The CVSS score is 5.5/Medium, but the issue affects kernel memory management and can cause high-impact availability problems. Prioritize remediation on systems that run affected kernel branches or KFENCE-enabled environments.

Recommended defensive actions

• Upgrade to a kernel release that includes the fix or backport the relevant stable patch.
• Verify whether your distribution kernel carries one of the listed kernel.org stable patches and has the skb_kfree_head() fix.
• Prioritize remediation on hosts that enable KFENCE or run BPF/testing workloads that exercise skb allocation paths.
• Monitor kernel logs for slab/cache mismatch warnings such as "Wrong slab cache" as an indicator of the bug.
• Track distro advisories and confirm that affected kernel branches below the fixed versions have been updated.

Evidence notes

The source corpus shows NVD published the CVE on 2026-04-20 and last modified it on 2026-05-20. NVD marks the issue as analyzed with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and CWE-401. The vulnerable version ranges listed in the corpus are Linux kernel 6.3 through before 6.6.136, 6.7 through before 6.12.82, 6.13 through before 6.18.23, 6.19 through before 6.19.13, and 7.0-rc1 through rc7. The corpus also states that the bug appears when KFENCE is enabled and skb head allocation/free paths misclassify the allocation source. Patch references are provided by kernel.org stable commits.

Official resources