CVE-2026-31700

Advisory lineage Upstream: 0 Downstream: 5

Downstream

DEBIAN-CVE-2026-31700 MGASA-2026-0108 MGASA-2026-0110 OPENSUSE-SU-2026:10793-1 UBUNTU-CVE-2026-31700

Analyzed

Published: 01 May 2026, 13:56

Last modified:11 May 2026, 22:14

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

7.8 HIGH

v3.1 (cve.org)

EPSS Score

0.01% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

01 May 2026, 13:56

Published

Vulnerability first disclosed

11 May 2026, 22:14

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel validates the header via __packet_snd_vnet_parse() but then re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent userspace thread can modify the vnet_hdr fields between validation and use, bypassing all safety checks. The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr to a stack-local variable. All other vnet_hdr consumers in the kernel (tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX path is the only caller of virtio_net_hdr_to_skb() that reads directly from user-controlled shared memory. Fix this by copying vnet_hdr from the mmap'd ring buffer to a stack-local variable before validation and use, consistent with the approach used in packet_snd() and all other callers.

CVSS Metrics

v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.01%• Percentile: 3%

Techniques & Countermeasures

CWE-362•Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Affected Systems

linux•linux
≥ 1d036d25e5609ba73fee6a88db01c306b140d512, < 74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121 | ≥ 1d036d25e5609ba73fee6a88db01c306b140d512, < 3a1bf9116ea31470b89692585c3910dfe830dcdd | ≥ 1d036d25e5609ba73fee6a88db01c306b140d512, < 28324a3b62d9ce7f9bdd65a8ce63f382041d1b27 | ≥ 1d036d25e5609ba73fee6a88db01c306b140d512, < 48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b | ≥ 1d036d25e5609ba73fee6a88db01c306b140d512, < 2c054e17d9d41f1020376806c7f750834ced4dc5 | 4.6
linux•linux_kernel
≥ 4.6, < 6.6.136 | ≥ 6.7, < 6.12.84 | ≥ 6.13, < 6.18.25 | ≥ 6.19, < 7.0.2 | 7.1:rc1 | 7.1:rc2