HIGH Published 2026-04-22

xfrm Policy Threshold Race

CVE-2026-31516

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: prevent policy_hthresh.work from racing with netns teardown A XFRM_MSG_NEWSPDINFO request can queue the per-net work item policy_hthresh.work onto the system workqueue. The queued callback, xfrm_hash_rebuild(), retrieves the enclosing struct net via container_of(). If the net namespace is torn down before that work runs, the associated struct net may already have been freed, and xfrm_hash_rebuild() may then dereference stale memory. xfrm_policy_fini() already flushes policy_hash_work during teardown, but it does not synchronize policy_hthresh.work. Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the queued work cannot outlive the net namespace teardown and access a freed struct net.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A privileged local attacker with CAP_NET_ADMIN can trigger a race condition during network namespace teardown by sending XFRM policy threshold configuration messages. This can lead to kernel memory corruption when queued work items access freed network namespace structures, potentially causing system crashes or privilege escalation.

Affectednet/xfrm/xfrm_policy.c

Vulnerability analysis

Root Cause: A race condition exists between XFRM policy hash threshold work item (policy_hthresh.work) and network namespace teardown. When a XFRM_MSG_NEWSPDINFO netlink message queues the policy_hthresh.work item, the work callback xfrm_hash_rebuild() uses container_of() to retrieve the struct net pointer. If the network namespace is destroyed before the work item executes, the struct net may be freed, causing xfrm_hash_rebuild() to dereference stale memory.

Attack Surface: This vulnerability is triggered through netlink XFRM_MSG_NEWSPDINFO messages, which require CAP_NET_ADMIN privileges. The race window occurs during network namespace destruction, making it primarily exploitable by privileged local users who can create/destroy network namespaces and send XFRM netlink messages.

Fix Mechanism: The fix adds a call to disable_work_sync(&net->xfrm.policy_hthresh.work) in xfrm_policy_fini() during network namespace teardown. This ensures that any queued policy_hthresh.work is completed or cancelled before the network namespace and its associated struct net are freed, preventing the use-after-free condition.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.80	`56ea2257b83e`
6.18	6.18.21	`8854e9367465`
6.19	6.19.11	`4e2e77843fef`
mainline	7.0	`29fe3a61bcdc`