CVE-2026-31469

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A Use-After-Free (UAF) issue exists in the virtio net driver when it is configured with napi tx=N and the IFF XMIT DST RELEASE flag is cleared, such as during the configuration of tc route filter rules. When this flag is removed, the network stack expects the driver to maintain the reference to skb->dst until the packet is transmitted and freed. If a network namespace is destroyed while packets are still pending in the virtio transmit ring, the dst ops structure is freed. A subsequent packet transmission triggers free old xmit(), which calls dst release() on the stale dst entry, leading to a kernel paging request because the referenced dst ops has already been freed.

Recommendations As a temporary workaround, consider restricting the use of the virtio net driver with napi tx=N when modifying tc route filter rules or managing network namespaces until a patch is applied.