HIGH
virtio_net DstOps UAF
CVE-2026-31469
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false A UAF issue occurs when the virtio_net driver is configured with napi_tx=N and the device's IFF_XMIT_DST_RELEASE flag is cleared (e.g., during the configuration of tc route filter rules). When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack expects the driver to hold the reference to skb->dst until the packet is fully transmitted and freed. In virtio_net with napi_tx=N, skbs may remain in the virtio transmit ring for an extended period. If the network namespace is destroyed while these skbs are still pending, the corresponding dst_ops structure has freed. When a subsequent packet is transmitted, free_old_xmit() is triggered to clean up old skbs. It then calls dst_release() on the skb associated with the stale dst_entry. Since the dst_ops (referenced by the dst_entry) has already been freed, a UAF kernel paging request occurs. fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release the dst reference before the skb is queued in virtio_net. Call Trace: Unable to handle kernel paging request at virtual address ffff80007e150000 CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT ... percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P) dst_release+0xe0/0x110 net/core/dst.c:177 skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177 sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255 dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469 napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527 __free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net] free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net] start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net] ... Reproduction Steps: NETDEV="enp3s0" config_qdisc_route_filter() { tc qdisc del dev $NETDEV root tc qdisc add dev $NETDEV root handle 1: prio tc filter add dev $NETDEV parent 1:0 \ protocol ip prio 100 route to 100 flowid 1:1 ip route add 192.168.1.100/32 dev $NETDEV realm 100 } test_ns() { ip netns add testns ip link set $NETDEV netns testns ip netns exec testns ifconfig $NETDEV 10.0.32.46/24 ip netns exec testns ping -c 1 10.0.32.1 ip netns del testns } config_qdisc_route_filter test_ns sleep 2 test_ns
02KernelScan AI Analysis
Risk summary
Local attackers with CAP_NET_ADMIN privileges (obtainable via user namespaces on default kernels) can trigger a use-after-free vulnerability in the virtio_net driver when network namespaces are destroyed while packets remain queued. This leads to kernel memory corruption and potential privilege escalation, information disclosure, or system crashes.
Vulnerability analysis
The vulnerability occurs when virtio_net is configured with napi_tx=false and the IFF_XMIT_DST_RELEASE flag is cleared (e.g., by tc route filter configuration). In this configuration, skbs can remain in the virtio transmit ring for extended periods. When a network namespace is destroyed while these skbs are pending, the associated dst_ops structure is freed. Later, when free_old_xmit() processes these stale skbs, it calls dst_release() on freed dst_ops memory, causing a use-after-free. The fix adds skb_dst_drop() in start_xmit to explicitly release dst references before queueing packets, preventing the stale reference issue.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | be0e63f3b97b |
| 5.15 | 5.15.203 | c1ec36cb3768 |
| 6.1 | 6.1.168 | 8a4790850e71 |
| 6.12 | 6.12.80 | f04733c4dc40 |
| 6.18 | 6.18.21 | 9a18629f2525 |
| 6.19 | 6.19.11 | 63d45077b97b |
| 6.6 | 6.6.131 | fedd2e1630ca |
| mainline | 7.0 | ba8bda9a0896 |