HIGH Published 2026-04-06

xfrm NAT Keepalive Race

CVE-2026-31406

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() After cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work. The following is a simple race scenario: cpu0 cpu1 cleanup_net() [Round 1] ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fini() cancel_delayed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_state_flush() xfrm_state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_state_updated(x) schedule_delayed_work(nat_keepalive_work); rcu_barrier(); net_complete_free(); net_passive_dec(net); llist_add(&net->defer_free_list, &defer_free_list); cleanup_net() [Round 2] rcu_barrier(); net_complete_free() kmem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A race condition in the XFRM NAT keepalive cleanup allows a delayed work function to execute on freed network namespace memory, potentially leading to kernel memory corruption. This affects systems using IPsec ESP-in-UDP with NAT keepalives and requires local access with network configuration privileges.

Affectednet/xfrm/xfrm_nat_keepalive.c (xfrm subsystem)

Vulnerability analysis

The vulnerability is a classic use-after-free race condition during network namespace cleanup. The root cause is that cancel_delayed_work_sync() only cancels pending work but doesn't prevent future scheduling. During network namespace teardown, after the work is cancelled, xfrm_state_fini() flushes remaining IPsec states which can trigger xfrm_nat_keepalive_state_updated() to reschedule the work on the about-to-be-freed namespace. The fix replaces cancel_delayed_work_sync() with disable_delayed_work_sync() which prevents any future scheduling of the work. This is reachable locally by users with CAP_NET_ADMIN who can create IPsec states with NAT keepalive intervals.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.80	`32d0f44c2f14`
6.18	6.18.21	`2255ed6adbc3`
6.19	6.19.11	`21f2fc49ca6f`
mainline	7.0	`daf8e3b253aa`