CVE-2026-31504

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition exists in the packet release() function where a NETDEV UP event can re-register a socket into a fanout group's arr[] array. Because packet release() does not zero the po->num variable while holding the bind lock, a concurrent packet notifier(NETDEV UP) can re-register the hook. For fanout sockets, this process calls fanout link(sk, po), which adds the socket back into f->arr[] and increments f->num members without incrementing f->sk ref. This results in a Use-After-Free (UAF) condition, which is a situation where a program continues to use a pointer after it has been freed, potentially leading to crashes or unauthorized memory access.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.