{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31429", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.089Z", "datePublished": "2026-04-20T09:43:03.194Z", "dateUpdated": "2026-04-20T09:43:03.194Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-20T09:43:03.194Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skb: fix cross-cache free of KFENCE-allocated skb head\n\nSKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2\nvalue (e.g. 704 on x86_64) to avoid collisions with generic kmalloc\nbucket sizes. This ensures that skb_kfree_head() can reliably use\nskb_end_offset to distinguish skb heads allocated from\nskb_small_head_cache vs. generic kmalloc caches.\n\nHowever, when KFENCE is enabled, kfence_ksize() returns the exact\nrequested allocation size instead of the slab bucket size. If a caller\n(e.g. bpf_test_init) allocates skb head data via kzalloc() and the\nrequested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then\nslab_build_skb() -> ksize() returns that exact value. After subtracting\nskb_shared_info overhead, skb_end_offset ends up matching\nSKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free\nthe object to skb_small_head_cache instead of back to the original\nkmalloc cache, resulting in a slab cross-cache free:\n\n kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected\n skbuff_small_head but got kmalloc-1k\n\nFix this by always calling kfree(head) in skb_kfree_head(). This keeps\nthe free path generic and avoids allocator-specific misclassification\nfor KFENCE objects."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/core/skbuff.c"], "versions": [{"version": "bf9f1baa279f0758dc2297080360c5a616843927", "lessThan": "60313768a8edc7094435975587c00c2d7b834083", "status": "affected", "versionType": "git"}, {"version": "bf9f1baa279f0758dc2297080360c5a616843927", "lessThan": "2d64618ea846d8d033477311f805ca487d6a6696", "status": "affected", "versionType": "git"}, {"version": "bf9f1baa279f0758dc2297080360c5a616843927", "lessThan": "474e00b935db250cac320d10c1d3cf4e44b46721", "status": "affected", "versionType": "git"}, {"version": "bf9f1baa279f0758dc2297080360c5a616843927", "lessThan": "0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/core/skbuff.c"], "versions": [{"version": "6.3", "status": "affected"}, {"version": "0", "lessThan": "6.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/60313768a8edc7094435975587c00c2d7b834083"}, {"url": "https://git.kernel.org/stable/c/2d64618ea846d8d033477311f805ca487d6a6696"}, {"url": "https://git.kernel.org/stable/c/474e00b935db250cac320d10c1d3cf4e44b46721"}, {"url": "https://git.kernel.org/stable/c/0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516"}], "title": "net: skb: fix cross-cache free of KFENCE-allocated skb head", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skb: fix cross-cache free of KFENCE-allocated skb head\n\nSKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2\nvalue (e.g. 704 on x86_64) to avoid collisions with generic kmalloc\nbucket sizes. This ensures that skb_kfree_head() can reliably use\nskb_end_offset to distinguish skb heads allocated from\nskb_small_head_cache vs. generic kmalloc caches.\n\nHowever, when KFENCE is enabled, kfence_ksize() returns the exact\nrequested allocation size instead of the slab bucket size. If a caller\n(e.g. bpf_test_init) allocates skb head data via kzalloc() and the\nrequested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then\nslab_build_skb() -> ksize() returns that exact value. After subtracting\nskb_shared_info overhead, skb_end_offset ends up matching\nSKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free\nthe object to skb_small_head_cache instead of back to the original\nkmalloc cache, resulting in a slab cross-cache free:\n\n kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected\n skbuff_small_head but got kmalloc-1k\n\nFix this by always calling kfree(head) in skb_kfree_head(). This keeps\nthe free path generic and avoids allocator-specific misclassification\nfor KFENCE objects."}], "id": "CVE-2026-31429", "lastModified": "2026-04-20T10:16:16.737", "metrics": {}, "published": "2026-04-20T10:16:16.737", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2d64618ea846d8d033477311f805ca487d6a6696"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/474e00b935db250cac320d10c1d3cf4e44b46721"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/60313768a8edc7094435975587c00c2d7b834083"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: net: skb: fix cross-cache free of KFENCE-allocated skb head", "id": "2459692", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459692"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-763", "details": ["A flaw was found in the Linux kernel. When the Kernel Electric Fence (KFENCE), a memory safety error detector, is enabled, a memory corruption vulnerability can occur. This happens because the `skb_kfree_head()` function incorrectly frees network buffer (skb) head data to the wrong memory cache. This misallocation can lead to system instability or denial of service."], "name": "CVE-2026-31429", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31429\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31429\nhttps://lore.kernel.org/linux-cve-announce/2026042006-CVE-2026-31429-a0e1@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bf9f1baa279f0758dc2297080360c5a616843927,60313768a8edc7094435975587c00c2d7b834083)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bf9f1baa279f0758dc2297080360c5a616843927,2d64618ea846d8d033477311f805ca487d6a6696)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bf9f1baa279f0758dc2297080360c5a616843927,474e00b935db250cac320d10c1d3cf4e44b46721)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bf9f1baa279f0758dc2297080360c5a616843927,0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.3)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.82,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.23,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.13,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-20T11:51:48.773114+00:00", "value": {"mitigation_remediation": ["Apply the official upstream kernel patch that changes skb_kfree_head to always use kfree().", "If patching is not immediately possible, recompile the kernel with KFENCE disabled (CONFIG_KFENCE=n).", "Audit and restrict user\u2011space code that can trigger skb allocation, especially BPF programs, until a patch or disabling of KFENCE is possible."], "summary": {"action": "Patch promptly", "impact": "Kernel memory corruption via improper cross\u2011cache free"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to any Linux kernel that uses the skb subsystem with KFENCE enabled. All kernel releases that ship the code unchanged prior to the patch are affected. No specific vendor or distribution list is supplied, so the impact is described in terms of the generic Linux kernel.", "description_and_impact": "The Linux kernel contains a flaw in the network buffer (skb) free logic. When Kernel\u2011Fences are enabled, the allocator returns the requested size instead of the slab bucket size, causing the deallocation routine to misclassify the object and free it to the wrong slab cache. This cross\u2011cache free can corrupt kernel memory or trigger a crash, potentially allowing an attacker to gain control or cause denial of service.", "risk_and_exploitability": "The CVSS score is not listed, and the EPSS score is unavailable; however the nature of the flaw\u2014freeing memory to an incorrect cache\u2014indicates a high\u2011severity risk. The vulnerability is not yet in CISA\u2019s KEV catalog. The most likely attack vector is local manipulation of user\u2011space code that triggers skb allocation, such as malicious BPF programs or crafted network packets, to exploit the misfree and corrupt kernel memory."}}}}, "created": "2026-04-20T11:30:05.324964+00:00", "updated": "2026-04-20T12:00:05.961486+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}