VOOZH about

URL: https://nvd.nist.gov/vuln/detail/CVE-2026-31663

⇱ NVD - CVE-2026-31663

  1. Vulnerabilities

CVE-2026-31663 Detail

Modified After Enrichment

This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes.

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transport_finish NF_HOOK After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside NF_HOOK and its okfn, which can race with device teardown. Remove the dev_put from the async resumption entry and instead drop the reference after the NF_HOOK call in transport_finish, using a saved device pointer since NF_HOOK may consume the skb. This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip the okfn. For non-transport exits (decaps, gro, drop) and secondary async return points, release the reference inline when async is set.


Metrics

 
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://git.kernel.org/stable/c/0f451b43c88bf2b9c038b414be580efee42e031b kernel.org Patch 
https://git.kernel.org/stable/c/1c428b03840094410c5fb6a5db30640486bbbfcb kernel.org Patch 
https://git.kernel.org/stable/c/4236c30b437b80f673b9e08c8fae38b8d471ac9e kernel.org
https://git.kernel.org/stable/c/5002beda5cac69d522dc54da0d5d463ed9c963d2 kernel.org Patch 

Weakness Enumeration

CWE-ID CWE Name Source
NVD-CWE-noinfo Insufficient Information πŸ‘ cwe source acceptance level
NIST  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

5 change records found show changes

CVE Modified by kernel.org 6/19/2026 9:16:26 AM

Action Type Old Value New Value
Added Reference 
https://git.kernel.org/stable/c/4236c30b437b80f673b9e08c8fae38b8d471ac9e
Changed Affected 
[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/ipv4/xfrm4_input.c","net/ipv6/xfrm6_input.c","net/xfrm/xfrm_input.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"acf568ee859f098279eadf551612f103afdacb4e","lessThan":"0f451b43c88bf2b9c038b414be580efee42e031b","versionType":"git","status":"affected"},{"version":"acf568ee859f098279eadf551612f103afdacb4e","lessThan":"5002beda5cac69d522dc54da0d5d463ed9c963d2","versionType":"git","status":"affected"},{"version":"acf568ee859f098279eadf551612f103afdacb4e","lessThan":"1c428b03840094410c5fb6a5db30640486bbbfcb","versionType":"git","status":"affected"},{"version":"69895c5ea0ca2e8d7de1e6d36965d0ab9730787f","versionType":"git","status":"affected"},{"version":"833760100588acfb267dac4d6a02ab9931237739","versionType":"git","status":"affected"},{"version":"e095ecaec6d94aa2156cceb98a85d409b51190f3","versionType":"git","status":"affected"},{"version":"3.2.100","lessThan":"3.3","versionType":"semver","status":"affected"},{"version":"3.16.55","lessThan":"3.17","versionType":"semver","status":"affected"},{"version":"4.14.24","lessThan":"4.15","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/ipv4/xfrm4_input.c","net/ipv6/xfrm6_input.c","net/xfrm/xfrm_input.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.15","status":"affected"},{"version":"0","lessThan":"4.15","versionType":"semver","status":"unaffected"},{"version":"6.18.23","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.13","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]


 Record truncated, showing 2048 of 2118 characters.
View Entire Change Record
[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/ipv4/xfrm4_input.c","net/ipv6/xfrm6_input.c","net/xfrm/xfrm_input.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"acf568ee859f098279eadf551612f103afdacb4e","lessThan":"4236c30b437b80f673b9e08c8fae38b8d471ac9e","versionType":"git","status":"affected"},{"version":"acf568ee859f098279eadf551612f103afdacb4e","lessThan":"0f451b43c88bf2b9c038b414be580efee42e031b","versionType":"git","status":"affected"},{"version":"acf568ee859f098279eadf551612f103afdacb4e","lessThan":"5002beda5cac69d522dc54da0d5d463ed9c963d2","versionType":"git","status":"affected"},{"version":"acf568ee859f098279eadf551612f103afdacb4e","lessThan":"1c428b03840094410c5fb6a5db30640486bbbfcb","versionType":"git","status":"affected"},{"version":"69895c5ea0ca2e8d7de1e6d36965d0ab9730787f","versionType":"git","status":"affected"},{"version":"833760100588acfb267dac4d6a02ab9931237739","versionType":"git","status":"affected"},{"version":"e095ecaec6d94aa2156cceb98a85d409b51190f3","versionType":"git","status":"affected"},{"version":"3.2.100","lessThan":"3.3","versionType":"semver","status":"affected"},{"version":"3.16.55","lessThan":"3.17","versionType":"semver","status":"affected"},{"version":"4.14.24","lessThan":"4.15","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/ipv4/xfrm4_input.c","net/ipv6/xfrm6_input.c","net/xfrm/xfrm_input.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.15","status":"affected"},{"version":"0","lessThan":"4.15","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.23","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.13","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual"

CVE Modified by kernel.org 6/17/2026 6:34:11 AM

Action Type Old Value New Value
Added Affected 
[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/ipv4/xfrm4_input.c","net/ipv6/xfrm6_input.c","net/xfrm/xfrm_input.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"acf568ee859f098279eadf551612f103afdacb4e","lessThan":"0f451b43c88bf2b9c038b414be580efee42e031b","versionType":"git","status":"affected"},{"version":"acf568ee859f098279eadf551612f103afdacb4e","lessThan":"5002beda5cac69d522dc54da0d5d463ed9c963d2","versionType":"git","status":"affected"},{"version":"acf568ee859f098279eadf551612f103afdacb4e","lessThan":"1c428b03840094410c5fb6a5db30640486bbbfcb","versionType":"git","status":"affected"},{"version":"69895c5ea0ca2e8d7de1e6d36965d0ab9730787f","versionType":"git","status":"affected"},{"version":"833760100588acfb267dac4d6a02ab9931237739","versionType":"git","status":"affected"},{"version":"e095ecaec6d94aa2156cceb98a85d409b51190f3","versionType":"git","status":"affected"},{"version":"3.2.100","lessThan":"3.3","versionType":"semver","status":"affected"},{"version":"3.16.55","lessThan":"3.17","versionType":"semver","status":"affected"},{"version":"4.14.24","lessThan":"4.15","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/ipv4/xfrm4_input.c","net/ipv6/xfrm6_input.c","net/xfrm/xfrm_input.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.15","status":"affected"},{"version":"0","lessThan":"4.15","versionType":"semver","status":"unaffected"},{"version":"6.18.23","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.13","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]

Initial Analysis by NIST 4/27/2026 3:59:32 PM

Action Type Old Value New Value
Added CWE 
NVD-CWE-noinfo
Added CPE Configuration 
OR
 *cpe:2.3:o:linux:linux_kernel:4.15:-:*:*:*:*:*:*
 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 3.16.55 up to (excluding) 3.17
 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 3.2.100 up to (excluding) 3.3
 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.14.24 up to (excluding) 4.15
 *cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
 *cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
 *cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
 *cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
 *cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
 *cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
 *cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.19 up to (excluding) 6.19.13
 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.15.1 up to (excluding) 6.18.23
Added Reference Type 
kernel.org: https://git.kernel.org/stable/c/0f451b43c88bf2b9c038b414be580efee42e031b Types: Patch
Added Reference Type 
kernel.org: https://git.kernel.org/stable/c/1c428b03840094410c5fb6a5db30640486bbbfcb Types: Patch
Added Reference Type 
kernel.org: https://git.kernel.org/stable/c/5002beda5cac69d522dc54da0d5d463ed9c963d2 Types: Patch

CVE Modified by kernel.org 4/27/2026 11:16:17 AM

Action Type Old Value New Value
Added CVSS V3.1 
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

New CVE Received from kernel.org 4/24/2026 11:16:45 AM

Action Type Old Value New Value
Added Description 
In the Linux kernel, the following vulnerability has been resolved:

xfrm: hold dev ref until after transport_finish NF_HOOK

After async crypto completes, xfrm_input_resume() calls dev_put()
immediately on re-entry before the skb reaches transport_finish.
The skb->dev pointer is then used inside NF_HOOK and its okfn,
which can race with device teardown.

Remove the dev_put from the async resumption entry and instead
drop the reference after the NF_HOOK call in transport_finish,
using a saved device pointer since NF_HOOK may consume the skb.
This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip
the okfn.

For non-transport exits (decaps, gro, drop) and secondary
async return points, release the reference inline when
async is set.
Added Reference 
https://git.kernel.org/stable/c/0f451b43c88bf2b9c038b414be580efee42e031b
Added Reference 
https://git.kernel.org/stable/c/1c428b03840094410c5fb6a5db30640486bbbfcb
Added Reference 
https://git.kernel.org/stable/c/5002beda5cac69d522dc54da0d5d463ed9c963d2

Quick Info

CVE Dictionary Entry:
CVE-2026-31663
NVD Published Date:
04/24/2026
NVD Last Modified:
06/19/2026
Source:
kernel.org