{"id":"CVE-2026-31469","summary":"virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false\n\nA UAF issue occurs when the virtio_net driver is configured with napi_tx=N\nand the device's IFF_XMIT_DST_RELEASE flag is cleared\n(e.g., during the configuration of tc route filter rules).\n\nWhen IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack\nexpects the driver to hold the reference to skb-\u003edst until the packet\nis fully transmitted and freed. In virtio_net with napi_tx=N,\nskbs may remain in the virtio transmit ring for an extended period.\n\nIf the network namespace is destroyed while these skbs are still pending,\nthe corresponding dst_ops structure has freed. When a subsequent packet\nis transmitted, free_old_xmit() is triggered to clean up old skbs.\nIt then calls dst_release() on the skb associated with the stale dst_entry.\nSince the dst_ops (referenced by the dst_entry) has already been freed,\na UAF kernel paging request occurs.\n\nfix it by adds skb_dst_drop(skb) in start_xmit to explicitly release\nthe dst reference before the skb is queued in virtio_net.\n\nCall Trace:\n Unable to handle kernel paging request at virtual address ffff80007e150000\n CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT\n  ...\n  percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)\n  dst_release+0xe0/0x110  net/core/dst.c:177\n  skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177\n  sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255\n  dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469\n  napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527\n  __free_old_xmit+0x164/0x230  drivers/net/virtio_net.c:611 [virtio_net]\n  free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]\n  start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]\n  ...\n\nReproduction Steps:\nNETDEV=\"enp3s0\"\n\nconfig_qdisc_route_filter() {\n    tc qdisc del dev $NETDEV root\n    tc qdisc add dev $NETDEV root handle 1: prio\n    tc filter add dev $NETDEV parent 1:0 \\\n\tprotocol ip prio 100 route to 100 flowid 1:1\n    ip route add 192.168.1.100/32 dev $NETDEV realm 100\n}\n\ntest_ns() {\n    ip netns add testns\n    ip link set $NETDEV netns testns\n    ip netns exec testns ifconfig $NETDEV  10.0.32.46/24\n    ip netns exec testns ping -c 1 10.0.32.1\n    ip netns del testns\n}\n\nconfig_qdisc_route_filter\n\ntest_ns\nsleep 2\ntest_ns","modified":"2026-07-04T18:29:25.581307150Z","published":"2026-04-22T13:53:58.266Z","related":["SUSE-SU-2026:22433-1","SUSE-SU-2026:22436-1","SUSE-SU-2026:22458-1","SUSE-SU-2026:22460-1","SUSE-SU-2026:2450-1","SUSE-SU-2026:2722-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31469.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/63d45077b97bb0e0fe0c75931acbbca7a47af141"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8a4790850e710fd6771e4d2112168ed1dd6c0e54"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9a18629f2525781f0f3dda7be72b204e4cf77d08"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ba8bda9a0896746053aa97ac6c3e08168729172c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/be0e63f3b97bbaf453c542e8a15ba2a536e2ac01"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c1ec36cb3768574b916f20d2d7415fd14fa1bf12"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f04733c4dc40c43899c3d1c97afbae5831a3770f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fedd2e1630cac920844997227ccbe7b26a76375a"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31469.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31469"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f2fc6a54585a1be6669613a31fbaba2ecbadcd36"},{"fixed":"be0e63f3b97bbaf453c542e8a15ba2a536e2ac01"},{"fixed":"c1ec36cb3768574b916f20d2d7415fd14fa1bf12"},{"fixed":"8a4790850e710fd6771e4d2112168ed1dd6c0e54"},{"fixed":"fedd2e1630cac920844997227ccbe7b26a76375a"},{"fixed":"f04733c4dc40c43899c3d1c97afbae5831a3770f"},{"fixed":"9a18629f2525781f0f3dda7be72b204e4cf77d08"},{"fixed":"63d45077b97bb0e0fe0c75931acbbca7a47af141"},{"fixed":"ba8bda9a0896746053aa97ac6c3e08168729172c"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31469.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.26"},{"fixed":"5.10.253"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.203"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.168"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.131"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.80"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.21"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31469.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}