Linux Kernel Vulnerability in xfrm Component
CVE-2026-31663

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-31663?

In the Linux kernel, a vulnerability exists within the xfrm component related to improper handling of device references during asynchronous operations. Specifically, the issue arises when the 'dev_put()' function is called too soon, prior to the completion of critical transport operations. This mismanagement can lead to race conditions during device teardown, potentially impacting the integrity of network packet processing. The fix involves modifying the timing of reference release to ensure it occurs only after necessary network functions are completed, thereby preventing potential exploitation avenues.

Affected Version(s)

Linux acf568ee859f098279eadf551612f103afdacb4e < 0f451b43c88bf2b9c038b414be580efee42e031b

Linux acf568ee859f098279eadf551612f103afdacb4e < 5002beda5cac69d522dc54da0d5d463ed9c963d2

Linux acf568ee859f098279eadf551612f103afdacb4e < 1c428b03840094410c5fb6a5db30640486bbbfcb

References

https://git.kernel.org/stable/c/0f451b43c88bf2b9c038b414b...

https://git.kernel.org/stable/c/5002beda5cac69d522dc54da0...

https://git.kernel.org/stable/c/1c428b03840094410c5fb6a5d...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31663 Data

JSON