HIGH
net/ipv6 FlowLabel UAF
CVE-2026-31680
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection removes it and `fl_free_rcu()` finally tears it down. A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that early `kfree()` and dereference freed option state, triggering a crash in `ip6fl_seq_show()`. Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches the lifetime already required for the enclosing flowlabel while readers can still reach it under RCU.
02KernelScan AI Analysis
Risk summary
Local users with low privileges can trigger a kernel crash or leak heap information by racing exclusive flowlabel cleanup with /proc/net/ip6_flowlabel reads. This causes a use-after-free when the proc reader dereferences freed option data, resulting in potential information disclosure and system denial of service through kernel panic.
Vulnerability analysis
The root cause is a race condition between fl_release() freeing fl->opt immediately when users drops to zero, and ip6fl_seq_show() reading fl->opt->opt_nflen under RCU lock via /proc/net/ip6_flowlabel. The flowlabel struct remains in the global hash table until later RCU garbage collection removes it, creating a window where concurrent proc readers can access freed memory. Because the access is a read of heap memory subsequently emitted via seq_file, the primitive can disclose leaked kernel heap data (C:Low) in addition to causing a kernel panic (A:High). The fix defers kfree(fl->opt) until fl_free_rcu(), matching the lifetime of the containing flowlabel structure. Attack surface is local-only, requiring the ability to read /proc/net/ip6_flowlabel and manipulate IPv6 flowlabels (typically via CAP_NET_ADMIN, obtainable in unprivileged user namespaces on default kernels).
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 4b6798024f7b |
| 5.15 | 5.15.203 | 3c54b66c83fb |
| 6.1 | 6.1.168 | 5a6b15f861b7 |
| 6.12 | 6.12.81 | 802796493178 |
| 6.18 | 6.18.22 | 414726b69921 |
| 6.19 | 6.19.12 | 572ce6277851 |
| 6.6 | 6.6.134 | 6c7fbdb8ffde |
| mainline | 7.0 | 9ca562bb8e66 |