HOMEVULNERABILITIESCVE-2026-31469
HIGH

CVE-2026-31469

Published: April 22, 2026· Updated: Apr 27, 2026

7.8
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:6.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

A UAF issue occurs when the virtio_net driver is configured with napi_tx=N

and the device's IFF_XMIT_DST_RELEASE flag is cleared

(e.g., during the configuration of tc route filter rules).

When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack

expects the driver to hold the reference to skb->dst until the packet

is fully transmitted and freed. In virtio_net with napi_tx=N,

skbs may remain in the virtio transmit ring for an extended period.

If the network namespace is destroyed while these skbs are still pending,

the corresponding dst_ops structure has freed. When a subsequent packet

is transmitted, free_old_xmit() is triggered to clean up old skbs.

It then calls dst_release() on the skb associated with the stale dst_entry.

Since the dst_ops (referenced by the dst_entry) has already been freed,

a UAF kernel paging request occurs.

fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release

the dst reference before the skb is queued in virtio_net.

Call Trace:

Unable to handle kernel paging request at virtual address ffff80007e150000

CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT

...

percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)

dst_release+0xe0/0x110 net/core/dst.c:177

skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177

sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255

dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469

napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527

__free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net]

free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]

start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]

...

Reproduction Steps:

NETDEV="enp3s0"

config_qdisc_route_filter() {

tc qdisc del dev $NETDEV root

tc qdisc add dev $NETDEV root handle 1: prio

tc filter add dev $NETDEV parent 1:0 \

protocol ip prio 100 route to 100 flowid 1:1

ip route add 192.168.1.100/32 dev $NETDEV realm 100

}

test_ns() {

ip netns add testns

ip link set $NETDEV netns testns

ip netns exec testns ifconfig $NETDEV 10.0.32.46/24

ip netns exec testns ping -c 1 10.0.32.1

ip netns del testns

}

config_qdisc_route_filter

test_ns

sleep 2

test_ns

NVD Source

Technical Analysis

CVE-2026-31469 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-31469
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 22, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31469 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.