net: ipv6: flowlabel: defer exclusive option free until RCU teardown

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: flowlabel: defer exclusive option free until RCU teardown

`ip6fl_seq_show()` walks the global flowlabel hash under the seq-file
RCU read-side lock and prints `fl->opt->opt_nflen` when an option block
is present.

Exclusive flowlabels currently free `fl->opt` as soon as `fl->users`
drops to zero in `fl_release()`. However, the surrounding
`struct ip6_flowlabel` remains visible in the global hash table until
later garbage collection removes it and `fl_free_rcu()` finally tears it
down.

A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that
early `kfree()` and dereference freed option state, triggering a crash
in `ip6fl_seq_show()`.

Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches
the lifetime already required for the enclosing flowlabel while readers
can still reach it under RCU.

Basic Information

ID CVE-2026-31680

Source Linux

Published Apr 25, 2026 at 08:46

Modified Apr 27, 2026 at 14:05

Affected Product

Vendor Linux

Product Linux

Version d3aedd5ebd4b0b925b0bcda548066803e1318499

Affected Versions Linux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499
Linux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499
Linux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499
Linux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499
Linux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499
Linux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499
Linux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499
Linux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499
Linux Linux 3.9

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: flowlabel: defer exclusive option free until RCU teardown\n\n`ip6fl_seq_show()` walks the global flowlabel hash under the seq-file\nRCU read-side lock and prints `fl->opt->opt_nflen` when an option block\nis present.\n\nExclusive flowlabels currently free `fl->opt` as soon as `fl->users`\ndrops to zero in `fl_release()`. However, the surrounding\n`struct ip6_flowlabel` remains visible in the global hash table until\nlater garbage collection removes it and `fl_free_rcu()` finally tears it\ndown.\n\nA concurrent `/proc/net/ip6_flowlabel` reader can therefore race that\nearly `kfree()` and dereference freed option state, triggering a crash\nin `ip6fl_seq_show()`.\n\nFix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches\nthe lifetime already required for the enclosing flowlabel while readers\ncan still reach it under RCU.",
    "published": "2026-04-25T08:46:56.807Z",
    "modified": "2026-04-27T14:05:00.799Z",
    "type": "cve",
    "title": "net: ipv6: flowlabel: defer exclusive option free until RCU teardown",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/4b6798024f7b2d535f3db1002c760143cdbd1bd3\nhttps://git.kernel.org/stable/c/3c54b66c83fb8fcbde8e6a7bf90b65856e39f827\nhttps://git.kernel.org/stable/c/5a6b15f861b7c1304949e3350d23490a5fe429fd\nhttps://git.kernel.org/stable/c/6c7fbdb8ffde6413640de7cfbd7c976c353e89f8\nhttps://git.kernel.org/stable/c/8027964931785cb73d520ac70a342a3dc16c249b\nhttps://git.kernel.org/stable/c/414726b69921fe6355ae453f5b35e68dd078342a\nhttps://git.kernel.org/stable/c/572ce62778519a7d4d1c15f55dd2e45a474133c4\nhttps://git.kernel.org/stable/c/9ca562bb8e66978b53028fa32b1a190708e6a091",
    "id": "CVE-2026-31680",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499\nLinux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499\nLinux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499\nLinux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499\nLinux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499\nLinux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499\nLinux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499\nLinux Linux d3aedd5ebd4b0b925b0bcda548066803e1318499\nLinux Linux 3.9",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "d3aedd5ebd4b0b925b0bcda548066803e1318499",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

net: ipv6: flowlabel: defer exclusive option free until RCU teardown_CVE-2026-31680

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply