PatchSiren cyber security CVE debrief
CVE-2026-31665 Linux CVE debrief
A use-after-free vulnerability was found in the Linux kernel's netfilter component. The nft_ct_timeout_obj_destroy function was freeing the timeout object immediately after nf_ct_untimeout, without waiting for an RCU grace period. This could allow concurrent packet processing on other CPUs to still hold RCU-protected references to the timeout object, leading to a potential crash or code execution. The fix adds an rcu_head to struct nf_ct_timeout and uses kfree_rcu to defer freeing until after an RCU grace period, matching the approach already used in nfnetlink_cttimeout.c.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-24
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-04-24
- Advisory updated
- 2026-07-14
Who should care
Linux kernel developers, users, network administrators, and security teams who manage Linux-based systems should be aware of this vulnerability and take necessary actions to protect their systems, especially those with exposed network interfaces or involved in network packet processing. They should apply the patch to the Linux kernel, use a supported and patched version, monitor for potential crashes or unusual behavior, review compensating controls for exposed systems, check relevant monitoring and logs, and track exceptions and retest remediated assets.
Technical summary
The vulnerability exists in the Linux kernel's netfilter component, specifically in the nft_ct_timeout_obj_destroy function. This function was freeing the timeout object immediately after nf_ct_untimeout, without waiting for an RCU grace period. This could allow concurrent packet processing on other CPUs to still hold RCU-protected references to the timeout object, leading to a potential crash or code execution.
Defensive priority
High
Recommended defensive actions
- Apply the patch to the Linux kernel
- Use a supported and patched version of the Linux kernel
- Monitor for potential crashes or unusual behavior
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The vulnerability was reported and patched by the Linux kernel developers. The fix was backported to various stable kernel versions. Evidence is limited, and defenders should verify patch application and monitor for potential crashes or unusual behavior.
Official resources
-
CVE-2026-31665 CVE record
CVE.org
-
CVE-2026-31665 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-24T15:16:46.157Z and has not been modified since then.