CVE-2026-31663 xfrm: hold dev ref until after transport_finish NF_HOOK

🗓️ 24 Apr 2026 14:45:13Reported by LinuxType

Fix race by delaying device dereference until after transport_finish NF_HOOK during async crypto.

Reporter	Title	Published	Views	Family All 24
ATTACKERKB	CVE-2026-31663	24 Apr 202614:45	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : bpftool6.18, kernel6.18, kernel6.18-devel (ALAS2023-2026-1693)	9 May 202600:00	–	nessus
Tenable Nessus	Photon OS 5.0: Linux PHSA-2026-5.0-0861	3 Jun 202600:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2026-31663	27 Apr 202600:00	–	nessus
Amazon	Important: kernel6.18	9 May 202600:00	–	amazon
Circl	CVE-2026-31663	28 Apr 202603:10	–	circl
CNNVD	Linux kernel 安全漏洞	24 Apr 202600:00	–	cnnvd
CVE	CVE-2026-31663	24 Apr 202614:45	–	cve
Debian CVE	CVE-2026-31663	24 Apr 202614:45	–	debiancve
EUVD	EUVD-2026-25556	24 Apr 202614:45	–	euvd

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/ipv4/xfrm4_input.c",
      "net/ipv6/xfrm6_input.c",
      "net/xfrm/xfrm_input.c"
    ],
    "versions": [
      {
        "version": "acf568ee859f098279eadf551612f103afdacb4e",
        "lessThan": "0f451b43c88bf2b9c038b414be580efee42e031b",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "acf568ee859f098279eadf551612f103afdacb4e",
        "lessThan": "5002beda5cac69d522dc54da0d5d463ed9c963d2",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "acf568ee859f098279eadf551612f103afdacb4e",
        "lessThan": "1c428b03840094410c5fb6a5db30640486bbbfcb",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "69895c5ea0ca2e8d7de1e6d36965d0ab9730787f",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "833760100588acfb267dac4d6a02ab9931237739",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "e095ecaec6d94aa2156cceb98a85d409b51190f3",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "3.2.100",
        "lessThan": "3.3",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "3.16.55",
        "lessThan": "3.17",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "4.14.24",
        "lessThan": "4.15",
        "status": "affected",
        "versionType": "semver"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/ipv4/xfrm4_input.c",
      "net/ipv6/xfrm6_input.c",
      "net/xfrm/xfrm_input.c"
    ],
    "versions": [
      {
        "version": "4.15",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "4.15",
        "status": "unaffected",
        "versionType": "semver"
      },
      {
        "version": "6.18.23",
        "lessThanOrEqual": "6.18.*",
        "status": "unaffected",
        "versionType": "semver"
      },
      {
        "version": "6.19.13",
        "lessThanOrEqual": "6.19.*",
        "status": "unaffected",
        "versionType": "semver"
      },
      {
        "version": "7.0",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

Source	Link
git	www.git.kernel.org/stable/c/5002beda5cac69d522dc54da0d5d463ed9c963d2
git	www.git.kernel.org/stable/c/1c428b03840094410c5fb6a5db30640486bbbfcb
git	www.git.kernel.org/stable/c/0f451b43c88bf2b9c038b414be580efee42e031b

23 May 2026 16:05Current

CVSS 3.17.8

EPSS0.00119