CVE-2026-31700

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the tpacket snd() function when PACKET VNET HDR is enabled. The vnet hdr points to a memory-mapped TX ring buffer shared with userspace. Although the kernel validates the header using the packet snd vnet parse() function, it subsequently re-reads the fields in the virtio net hdr to skb() function. This allows a concurrent userspace thread to modify the vnet hdr fields after validation but before use, effectively bypassing safety checks.

Recommendations Copy vnet hdr from the memory-mapped ring buffer to a stack-local variable before validation and use.