{"id":"CVE-2026-31700","summary":"net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()\n\nIn tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points\ndirectly into the mmap'd TX ring buffer shared with userspace. The\nkernel validates the header via __packet_snd_vnet_parse() but then\nre-reads all fields later in virtio_net_hdr_to_skb(). A concurrent\nuserspace thread can modify the vnet_hdr fields between validation\nand use, bypassing all safety checks.\n\nThe non-TPACKET path (packet_snd()) already correctly copies vnet_hdr\nto a stack-local variable. All other vnet_hdr consumers in the kernel\n(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX\npath is the only caller of virtio_net_hdr_to_skb() that reads directly\nfrom user-controlled shared memory.\n\nFix this by copying vnet_hdr from the mmap'd ring buffer to a\nstack-local variable before validation and use, consistent with the\napproach used in packet_snd() and all other callers.","modified":"2026-05-18T05:59:53.967508811Z","published":"2026-05-01T13:56:00.205Z","related":["CGA-hw38-wg5g-g99p","openSUSE-SU-2026:10793-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31700.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/28324a3b62d9ce7f9bdd65a8ce63f382041d1b27"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2c054e17d9d41f1020376806c7f750834ced4dc5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3a1bf9116ea31470b89692585c3910dfe830dcdd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31700.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31700"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1d036d25e5609ba73fee6a88db01c306b140d512"},{"fixed":"74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121"},{"fixed":"3a1bf9116ea31470b89692585c3910dfe830dcdd"},{"fixed":"28324a3b62d9ce7f9bdd65a8ce63f382041d1b27"},{"fixed":"48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b"},{"fixed":"2c054e17d9d41f1020376806c7f750834ced4dc5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31700.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.6.0"},{"fixed":"6.6.136"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.84"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.25"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31700.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}