CVE-2026-31469

HIGHPre-NVD 7.87.8
EchelonGraph scoreMEDIUM confidence

Score 7.8 from GitHub Security Advisory (severity: HIGH) published 2026-04-22. NVD baseline CVSS 7.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, nvd
7.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

In the Linux kernel, the following vulnerability has been resolved:

virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false

A UAF issue occurs when the virtio_net driver is configured with napi_tx=N and the device's IFF_XMIT_DST_RELEASE flag is cleared (e.g., during the configuration of tc route filter rules).

When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack expects the driver to hold the reference to skb->dst until the packet is fully transmitted and freed. In virtio_net with napi_tx=N, skbs may remain in the virtio transmit ring for an extended period.

If the network namespace is destroyed while these skbs are still pending, the corresponding dst_ops structure has freed. When a subsequent packet is transmitted, free_old_xmit() is triggered to clean up old skbs. It then calls dst_release() on the skb associated with the stale dst_entry. Since the dst_ops (referenced by the dst_entry) has already been freed, a UAF kernel paging request occurs.

fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release the dst reference before the skb is queued in virtio_net.

Call Trace: Unable to handle kernel paging request at virtual address ffff80007e150000 CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT ... percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P) dst_release+0xe0/0x110 net/core/dst.c:177 skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177 sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255 dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469 napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527 __free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net] free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net] start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net] ...

Reproduction Steps: NETDEV="enp3s0"

config_qdisc_route_filter() { tc qdisc del dev $NETDEV root tc qdisc add dev $NETDEV root handle 1: prio tc filter add dev $NETDEV parent 1:0 \ protocol ip prio 100 route to 100 flowid 1:1 ip route add 192.168.1.100/32 dev $NETDEV realm 100 }

test_ns() { ip netns add testns ip link set $NETDEV netns testns ip netns exec testns ifconfig $NETDEV 10.0.32.46/24 ip netns exec testns ping -c 1 10.0.32.1 ip netns del testns }

config_qdisc_route_filter

test_ns sleep 2 test_ns

CVSS v3
7.8
EG Score
7.8(medium)
EPSS
3.3%
KEV
Not listed

Published

April 22, 2026

Last Modified

July 14, 2026

Advisory Details (8)

Auto-updated May 7, 2026
No patch confirmed yet.
generic

virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/fedd2e1630cac920844997227ccbe7b26a76375a
generic

virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/f04733c4dc40c43899c3d1c97afbae5831a3770f
generic

virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/c1ec36cb3768574b916f20d2d7415fd14fa1bf12
generic

virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/be0e63f3b97bbaf453c542e8a15ba2a536e2ac01
generic

virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/ba8bda9a0896746053aa97ac6c3e08168729172c
generic

virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/9a18629f2525781f0f3dda7be72b204e4cf77d08
generic

virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/8a4790850e710fd6771e4d2112168ed1dd6c0e54
generic

virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/63d45077b97bb0e0fe0c75931acbbca7a47af141

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 10× in last 7d / 42× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

Showing the most recent 100 of 162 total refreshes for this CVE.

  1. 2026-07-15 16:57 UTCEPSS rescore
  2. 2026-07-15 16:57 UTCEPSS rescore
  3. 2026-07-15 02:00 UTCEPSS rescore
  4. 2026-07-15 02:00 UTCEPSS rescore
  5. 2026-07-13 22:30 UTCEPSS rescore
  6. 2026-07-13 06:13 UTCEPSS rescore
  7. 2026-07-13 06:13 UTCEPSS rescore
  8. 2026-07-12 05:46 UTCEPSS rescore
  9. 2026-07-11 08:27 UTCEPSS rescore
  10. 2026-07-09 19:10 UTCEPSS rescore
  11. 2026-07-08 15:15 UTCEPSS rescore
  12. 2026-07-07 13:46 UTCEPSS rescore
  13. 2026-07-06 16:27 UTCEPSS rescore
  14. 2026-07-06 16:27 UTCEPSS rescore
  15. 2026-07-06 02:23 UTCEPSS rescore
  16. 2026-07-06 02:23 UTCEPSS rescore
  17. 2026-07-05 02:30 UTCEPSS rescore
  18. 2026-07-04 06:31 UTCEPSS rescore
  19. 2026-06-30 23:22 UTCEPSS rescore
  20. 2026-06-29 14:06 UTCEPSS rescore
  21. 2026-06-29 14:06 UTCEPSS rescore
  22. 2026-06-28 14:07 UTCEPSS rescore
  23. 2026-06-28 14:07 UTCEPSS rescore
  24. 2026-06-28 04:56 UTCEPSS rescore
  25. 2026-06-28 04:56 UTCEPSS rescore
Show 75 more
  1. 2026-06-27 03:08 UTCEPSS rescore
  2. 2026-06-25 13:49 UTCEPSS rescore
  3. 2026-06-25 13:49 UTCEPSS rescore
  4. 2026-06-24 14:05 UTCEPSS rescore
  5. 2026-06-23 21:33 UTCEPSS rescore
  6. 2026-06-23 21:33 UTCEPSS rescore
  7. 2026-06-22 14:25 UTCEPSS rescore
  8. 2026-06-22 14:25 UTCEPSS rescore
  9. 2026-06-21 14:56 UTCEPSS rescore
  10. 2026-06-21 14:56 UTCEPSS rescore
  11. 2026-06-21 01:59 UTCEPSS rescore
  12. 2026-06-19 19:25 UTCEPSS rescore
  13. 2026-06-19 19:25 UTCEPSS rescore
  14. 2026-06-18 17:52 UTCEPSS rescore
  15. 2026-06-18 17:52 UTCEPSS rescore
  16. 2026-06-17 17:53 UTCEPSS rescore
  17. 2026-06-16 17:52 UTCEPSS rescore
  18. 2026-06-15 17:49 UTCEPSS rescore
  19. 2026-06-15 04:30 UTCEG score recompute
  20. 2026-06-15 04:30 UTCVendor advisory
  21. 2026-06-15 04:30 UTCGHSA enrichment
  22. 2026-06-14 23:18 UTCEPSS rescore
  23. 2026-06-14 16:51 UTCEG score recompute
  24. 2026-06-14 16:51 UTCVendor advisory
  25. 2026-06-14 16:51 UTCGHSA enrichment
  26. 2026-06-13 23:00 UTCEPSS rescore
  27. 2026-06-12 23:12 UTCEPSS rescore
  28. 2026-06-12 23:12 UTCEPSS rescore
  29. 2026-06-12 02:27 UTCEG score recompute
  30. 2026-06-12 02:27 UTCGHSA enrichment
  31. 2026-06-11 14:48 UTCEG score recompute
  32. 2026-06-11 14:48 UTCVendor advisory
  33. 2026-06-11 14:48 UTCGHSA enrichment
  34. 2026-06-11 14:00 UTCEPSS rescore
  35. 2026-06-10 22:18 UTCEPSS rescore
  36. 2026-06-10 14:44 UTCEG score recompute
  37. 2026-06-10 14:44 UTCVendor advisory
  38. 2026-06-10 14:44 UTCGHSA enrichment
  39. 2026-06-10 13:22 UTCEPSS rescore
  40. 2026-06-10 03:05 UTCEG score recompute
  41. 2026-06-10 03:05 UTCVendor advisory
  42. 2026-06-10 03:05 UTCGHSA enrichment
  43. 2026-06-09 15:26 UTCEG score recompute
  44. 2026-06-09 15:26 UTCVendor advisory
  45. 2026-06-09 15:26 UTCGHSA enrichment
  46. 2026-06-09 03:47 UTCEG score recompute
  47. 2026-06-09 03:47 UTCVendor advisory
  48. 2026-06-09 03:47 UTCGHSA enrichment
  49. 2026-06-08 14:17 UTCEPSS rescore
  50. 2026-06-08 14:17 UTCEPSS rescore
  51. 2026-06-08 07:38 UTCEG score recompute
  52. 2026-06-08 07:38 UTCVendor advisory
  53. 2026-06-08 07:38 UTCGHSA enrichment
  54. 2026-06-07 19:59 UTCEG score recompute
  55. 2026-06-07 19:59 UTCVendor advisory
  56. 2026-06-07 19:59 UTCGHSA enrichment
  57. 2026-06-07 15:25 UTCEPSS rescore
  58. 2026-06-07 15:25 UTCEPSS rescore
  59. 2026-06-07 15:25 UTCEPSS rescore
  60. 2026-06-07 08:19 UTCEG score recompute
  61. 2026-06-07 08:19 UTCVendor advisory
  62. 2026-06-07 08:19 UTCGHSA enrichment
  63. 2026-06-06 20:40 UTCEG score recompute
  64. 2026-06-06 20:40 UTCVendor advisory
  65. 2026-06-06 20:40 UTCGHSA enrichment
  66. 2026-06-06 13:47 UTCEPSS rescore
  67. 2026-06-06 13:47 UTCEPSS rescore
  68. 2026-06-06 05:34 UTCEG score recompute
  69. 2026-06-06 05:34 UTCVendor advisory
  70. 2026-06-06 05:34 UTCGHSA enrichment
  71. 2026-06-05 22:47 UTCEPSS rescore
  72. 2026-06-05 22:47 UTCEPSS rescore
  73. 2026-06-05 17:15 UTCEG score recompute
  74. 2026-06-05 17:15 UTCVendor advisory
  75. 2026-06-05 17:15 UTCGHSA enrichment

Frequently asked(5)

What is CVE-2026-31469?
CVE-2026-31469 is a high vulnerability published on April 22, 2026. In the Linux kernel, the following vulnerability has been resolved: virtionet: Fix UAF on dstops when IFFXMITDSTRELEASE is cleared and napitx is false A UAF issue occurs when the virtionet driver is configured with napitx=N and the device's IFFXMITDST_RELEASE flag is cleared (e.g., during the…
When was CVE-2026-31469 disclosed?
CVE-2026-31469 was first published in the National Vulnerability Database on April 22, 2026, with the most recent update on July 14, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-31469 actively exploited?
CVE-2026-31469 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 3.3% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-31469?
CVE-2026-31469 has a CVSS v3 base score of 7.8 (NVD).
How do I remediate CVE-2026-31469?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-31469, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-31469

Explore →

Is Your Infrastructure Affected by CVE-2026-31469?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.