CVE-2026-31680

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A use-after-free issue exists in the IPv6 flowlabel implementation. The function ip6fl seq show() iterates through the global flowlabel hash under a seq-file RCU read-side lock and accesses fl->opt->opt nflen when an option block is present. Because exclusive flowlabels free fl->opt immediately when fl->users reaches zero in fl release(), but the struct ip6 flowlabel remains in the global hash table until garbage collection and fl free rcu() occur, a race condition exists. A concurrent reader of '/proc/net/ip6 flowlabel' can dereference the freed option state, leading to a system crash.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.