Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-31680— net: ipv6: flowlabel: defer exclusive option free until RCU teardown

CVSS 7.8 · High EPSS 0.01% · P2
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-31680

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
net: ipv6: flowlabel: defer exclusive option free until RCU teardown
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection removes it and `fl_free_rcu()` finally tears it down. A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that early `kfree()` and dereference freed option state, triggering a crash in `ip6fl_seq_show()`. Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches the lifetime already required for the enclosing flowlabel while readers can still reach it under RCU.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于ip6_flowlabel中独占选项在引用计数归零时过早释放,可能导致并发/proc读取时访问已释放选项状态。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux d3aedd5ebd4b0b925b0bcda548066803e1318499 ~ 4b6798024f7b2d535f3db1002c760143cdbd1bd3 -
LinuxLinux 3.9 -

II. Public POCs for CVE-2026-31680

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-31680

登录查看更多情报信息。

Same Patch Batch · Linux · 2026-04-25 · 13 CVEs total

CVE-2026-316859.4 CRITICALnetfilter: ip6t_eui64: reject invalid MAC header for all packets
CVE-2026-316829.1 CRITICALbridge: br_nd_send: linearize skb before parsing ND options
CVE-2026-316837.8 HIGHbatman-adv: avoid OGM aggregation when skb tailroom is insufficient
CVE-2026-316787.8 HIGHopenvswitch: defer tunnel netdev_put to RCU release
CVE-2026-316757.8 HIGHnet/sched: sch_netem: fix out-of-bounds access in packet corruption
CVE-2026-316737.8 HIGHaf_unix: read UNIX_DIAG_VFS data under unix_state_lock
CVE-2026-316767.5 HIGHrxrpc: only handle RESPONSE during service challenge
CVE-2026-316797.1 HIGHopenvswitch: validate MPLS set/set_masked payload length
CVE-2026-316747.1 HIGHnetfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
CVE-2026-31684net: sched: act_csum: validate nested VLAN headers
CVE-2026-31681netfilter: xt_multiport: validate range encoding in checkentry
CVE-2026-31677crypto: af_alg - limit RX SG extraction by receive buffer budget

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-31680

No comments yet

Leave a comment