HIGH Published 2026-05-01

packet TPACKET VnetHdr Race

CVE-2026-31700

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel validates the header via __packet_snd_vnet_parse() but then re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent userspace thread can modify the vnet_hdr fields between validation and use, bypassing all safety checks. The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr to a stack-local variable. All other vnet_hdr consumers in the kernel (tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX path is the only caller of virtio_net_hdr_to_skb() that reads directly from user-controlled shared memory. Fix this by copying vnet_hdr from the mmap'd ring buffer to a stack-local variable before validation and use, consistent with the approach used in packet_snd() and all other callers.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A local attacker with packet socket privileges can exploit a race condition to bypass network header validation checks. By modifying virtio network header fields in shared memory between kernel validation and use, an attacker could potentially cause memory corruption or bypass security controls in network packet processing.

Affectednet/packet/af_packet.c

Vulnerability analysis

Root Cause: In tpacket_snd(), when PACKET_VNET_HDR is enabled, the vnet_hdr pointer points directly into the mmap'd TX ring buffer shared with userspace. The kernel validates the header via __packet_snd_vnet_parse() but then re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent userspace thread can modify the vnet_hdr fields between validation and use, creating a Time-of-Check-Time-of-Use (TOCTOU) race condition that bypasses all safety checks.

Attack Surface: Local attack surface requiring access to AF_PACKET sockets with PACKET_VNET_HDR and PACKET_TX_RING enabled. The attacker needs the ability to create packet sockets and mmap the TX ring buffer, then use multiple threads to race the kernel validation with concurrent modifications to the shared memory region.

Fix Mechanism: The fix copies the vnet_hdr from the mmap'd ring buffer to a stack-local variable before validation and use. This eliminates the TOCTOU race by ensuring the kernel operates on a consistent copy that cannot be modified by userspace after validation. The patch changes vnet_hdr from a pointer to a struct, adds a has_vnet_hdr boolean flag, and uses memcpy() to create the local copy before validation.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.84	`3a1bf9116ea3`
6.18	6.18.25	`28324a3b62d9`
6.6	6.6.136	`74e2db36fe50`
7.0	7.0.2	`48a6ef291a17`
mainline	7.1-rc1	`2c054e17d9d4`