CVE-2026-31700 Overview
CVE-2026-31700 is a Time-of-Check Time-of-Use (TOCTOU) race condition in the Linux kernel's net/packet subsystem. The flaw resides in tpacket_snd() when PACKET_VNET_HDR is enabled. The kernel reads vnet_hdr directly from an mmap'd TX ring buffer shared with userspace, validates it via __packet_snd_vnet_parse(), and then re-reads the same fields later in virtio_net_hdr_to_skb(). A concurrent userspace thread can modify the vnet_hdr between validation and use, bypassing kernel safety checks. This issue is classified under [CWE-362] (Concurrent Execution using Shared Resource with Improper Synchronization).
Critical Impact
A local attacker with AF_PACKET socket access can bypass header validation, leading to memory corruption and full compromise of confidentiality, integrity, and availability.
Affected Products
- Linux Kernel (multiple stable branches prior to fix)
- Linux Kernel 7.1-rc1
- Linux Kernel 7.1-rc2
Discovery Timeline
- 2026-05-01 - CVE-2026-31700 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-31700
Vulnerability Analysis
The vulnerability exists in the TPACKET TX path of the Linux kernel's packet socket implementation. When a process creates an AF_PACKET socket with PACKET_VNET_HDR enabled and uses the TPACKET ring buffer for transmission, the kernel maps a region of memory shared between userspace and the kernel. The vnet_hdr structure resides within this shared mmap'd region.
In tpacket_snd(), the kernel obtains a pointer to vnet_hdr that references the shared memory directly rather than copying the structure to a kernel-controlled buffer. The validation routine __packet_snd_vnet_parse() reads and checks fields such as flags, GSO type, and header lengths. After validation passes, control flows to virtio_net_hdr_to_skb(), which re-reads the same fields from the same shared memory location.
Between these two reads, a second userspace thread can mutate the header values. This breaks the assumption that validated data remains constant during use. The non-TPACKET path in packet_snd() and other consumers in tun.c, tap.c, and virtio_net.c already copy vnet_hdr to a stack-local variable, making the TPACKET TX path the sole offender.
Root Cause
The root cause is a double-fetch pattern across a trust boundary. The kernel treats the mmap'd ring buffer as stable input during validation, but userspace retains write access to that memory throughout the system call. The absence of a defensive copy creates the TOCTOU window.
Attack Vector
Exploitation requires local access and the ability to open an AF_PACKET socket, which typically requires CAP_NET_RAW. An attacker uses two threads: one issues sendmsg() calls through the TPACKET ring while the second continuously rewrites the vnet_hdr fields in the shared mmap region. Winning the race allows the attacker to pass validation with benign values and then deliver malicious values such as inconsistent GSO sizes or header offsets to virtio_net_hdr_to_skb(), leading to skb metadata corruption and potential kernel memory disclosure or privilege escalation.
No public proof-of-concept code is available. Refer to the upstream commits in the kernel.org stable tree for the corrective patch.
Detection Methods for CVE-2026-31700
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing tpacket_snd, virtio_net_hdr_to_skb, or __packet_snd_vnet_parse in dmesg and /var/log/kern.log.
- Unprivileged or service accounts creating AF_PACKET sockets with PACKET_VNET_HDR enabled when not expected by the workload baseline.
- Multi-threaded processes mapping packet ring buffers with PACKET_TX_RING and performing rapid writes from a non-sending thread.
Detection Strategies
- Audit the use of the socket(AF_PACKET, ...) system call combined with setsockopt for PACKET_VNET_HDR and PACKET_TX_RING using auditd rules.
- Monitor for processes holding CAP_NET_RAW that spawn additional threads writing to mmap'd packet ring regions.
- Correlate kernel crash signatures within the packet subsystem against process ancestry to identify exploitation attempts.
Monitoring Recommendations
- Enable Linux audit rules covering socket, setsockopt, and mmap syscalls and forward events to a centralized log platform for correlation.
- Track processes that hold CAP_NET_RAW outside of expected daemons such as tcpdump, dhclient, or container networking components.
- Alert on kernel ring-buffer messages containing packet: warnings or skb validation failures during packet transmission.
How to Mitigate CVE-2026-31700
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the stable tree as soon as vendor builds are available for your distribution.
- Inventory hosts where untrusted local users or container workloads have CAP_NET_RAW and prioritize patching those systems first.
- Restrict access to AF_PACKET sockets in container environments by dropping CAP_NET_RAW from default capability sets.
Patch Information
The Linux kernel maintainers have released fixes across multiple stable branches. The patch copies vnet_hdr from the mmap'd ring buffer into a stack-local variable before validation and use, matching the safe pattern already present in packet_snd(). Reference commits include 28324a3b62d9, 2c054e17d9d4, 3a1bf9116ea3, 48a6ef291a17, and 74e2db36fe50 available at git.kernel.org.
Workarounds
- Remove CAP_NET_RAW from non-essential users, services, and container runtimes to block creation of AF_PACKET sockets.
- Apply seccomp filters that deny the socket syscall with AF_PACKET for workloads that do not require raw packet access.
- Use Linux Security Modules such as SELinux or AppArmor to confine processes that must retain packet socket capabilities.
# Drop CAP_NET_RAW from a systemd service unit
[Service]
CapabilityBoundingSet=~CAP_NET_RAW
AmbientCapabilities=
NoNewPrivileges=yes
# Verify capabilities at runtime
getpcaps $(pidof my-service)
# Example seccomp filter snippet (Docker)
docker run --cap-drop=NET_RAW --security-opt seccomp=default.json my-image
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
