PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31469 Linux CVE debrief

A use-after-free vulnerability was discovered in the Linux kernel's virtio_net driver. The issue arises when the IFF_XMIT_DST_RELEASE flag is cleared and napi_tx is set to false. This configuration can lead to a situation where the driver fails to hold a reference to the skb->dst, resulting in a use-after-free error when the network namespace is destroyed.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-22
Original CVE updated
2026-07-14
Advisory published
2026-04-22
Advisory updated
2026-07-14

Who should care

System administrators and users of Linux kernel versions 2.6.26 through 7.0-rc5 should be aware of this vulnerability. The vulnerability has been patched in various kernel versions, including 5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, and 6.19.11.

Technical summary

The vulnerability occurs in the virtio_net driver when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false. In this scenario, skbs may remain in the virtio transmit ring for an extended period. If the network namespace is destroyed while these skbs are still pending, the corresponding dst_ops structure is freed. When a subsequent packet is transmitted, free_old_xmit() is triggered, leading to a dst_release() call on the skb associated with the stale dst_entry. Since the dst_ops has already been freed, a use-after-free kernel paging request occurs. The fix involves adding skb_dst_drop(skb) in start_xmit to explicitly release the dst reference before the skb is queued in virtio_net.

Defensive priority

High

Recommended defensive actions

  • Apply the patches provided by the Linux kernel maintainers to update the virtio_net driver.
  • Ensure that the Linux kernel is updated to a version that includes the fix, such as 5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, or 6.19.11.
  • Monitor system logs for potential use-after-free errors related to the virtio_net driver.
  • Consider implementing additional security measures, such as network traffic filtering, to reduce the attack surface.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The vulnerability was discovered in the Linux kernel's virtio_net driver. The issue is caused by a use-after-free error when the IFF_XMIT_DST_RELEASE flag is cleared and napi_tx is set to false. The fix involves adding skb_dst_drop(skb) in start_xmit to explicitly release the dst reference before the skb is queued in virtio_net. Various kernel versions have been patched to address this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-22T14:16:43.260Z and has not been modified since then. The NVD entry is currently Modified.