{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36"
            },
            {
              "fixed": "be0e63f3b97bbaf453c542e8a15ba2a536e2ac01"
            },
            {
              "fixed": "c1ec36cb3768574b916f20d2d7415fd14fa1bf12"
            },
            {
              "fixed": "8a4790850e710fd6771e4d2112168ed1dd6c0e54"
            },
            {
              "fixed": "fedd2e1630cac920844997227ccbe7b26a76375a"
            },
            {
              "fixed": "f04733c4dc40c43899c3d1c97afbae5831a3770f"
            },
            {
              "fixed": "9a18629f2525781f0f3dda7be72b204e4cf77d08"
            },
            {
              "fixed": "63d45077b97bb0e0fe0c75931acbbca7a47af141"
            },
            {
              "fixed": "ba8bda9a0896746053aa97ac6c3e08168729172c"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.26"
            },
            {
              "fixed": "5.10.253"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.203"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.168"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.131"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.80"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.21"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31469.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false\n\nA UAF issue occurs when the virtio_net driver is configured with napi_tx=N\nand the device's IFF_XMIT_DST_RELEASE flag is cleared\n(e.g., during the configuration of tc route filter rules).\n\nWhen IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack\nexpects the driver to hold the reference to skb-\u003edst until the packet\nis fully transmitted and freed. In virtio_net with napi_tx=N,\nskbs may remain in the virtio transmit ring for an extended period.\n\nIf the network namespace is destroyed while these skbs are still pending,\nthe corresponding dst_ops structure has freed. When a subsequent packet\nis transmitted, free_old_xmit() is triggered to clean up old skbs.\nIt then calls dst_release() on the skb associated with the stale dst_entry.\nSince the dst_ops (referenced by the dst_entry) has already been freed,\na UAF kernel paging request occurs.\n\nfix it by adds skb_dst_drop(skb) in start_xmit to explicitly release\nthe dst reference before the skb is queued in virtio_net.\n\nCall Trace:\n Unable to handle kernel paging request at virtual address ffff80007e150000\n CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT\n  ...\n  percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)\n  dst_release+0xe0/0x110  net/core/dst.c:177\n  skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177\n  sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255\n  dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469\n  napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527\n  __free_old_xmit+0x164/0x230  drivers/net/virtio_net.c:611 [virtio_net]\n  free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]\n  start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]\n  ...\n\nReproduction Steps:\nNETDEV=\"enp3s0\"\n\nconfig_qdisc_route_filter() {\n    tc qdisc del dev $NETDEV root\n    tc qdisc add dev $NETDEV root handle 1: prio\n    tc filter add dev $NETDEV parent 1:0 \\\n\tprotocol ip prio 100 route to 100 flowid 1:1\n    ip route add 192.168.1.100/32 dev $NETDEV realm 100\n}\n\ntest_ns() {\n    ip netns add testns\n    ip link set $NETDEV netns testns\n    ip netns exec testns ifconfig $NETDEV  10.0.32.46/24\n    ip netns exec testns ping -c 1 10.0.32.1\n    ip netns del testns\n}\n\nconfig_qdisc_route_filter\n\ntest_ns\nsleep 2\ntest_ns",
  "id": "CVE-2026-31469",
  "modified": "2026-07-08T05:36:38.427418296Z",
  "published": "2026-04-22T13:53:58.266Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/63d45077b97bb0e0fe0c75931acbbca7a47af141"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8a4790850e710fd6771e4d2112168ed1dd6c0e54"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a18629f2525781f0f3dda7be72b204e4cf77d08"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ba8bda9a0896746053aa97ac6c3e08168729172c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/be0e63f3b97bbaf453c542e8a15ba2a536e2ac01"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c1ec36cb3768574b916f20d2d7415fd14fa1bf12"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f04733c4dc40c43899c3d1c97afbae5831a3770f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fedd2e1630cac920844997227ccbe7b26a76375a"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31469.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31469"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false"
}