In the Linux kernel, the following vulnerability has been resolved:
xfrm: Fix work re-schedule after cancel in xfrmnatkeepalivenetfini()
After canceldelayedworksync() is called from xfrmnatkeepalivenetfini(), xfrmstate_fini() flushes remaining states via __xfrmstatedelete(), which calls xfrmnatkeepalivestateupdated() to re-schedule natkeepalivework.
The following is a simple race scenario:
cpu0 cpu1
cleanupnet() [Round 1] opsundolist() xfrmnetexit() xfrmnatkeepalivenetfini() canceldelayedworksync(natkeepalivework); xfrmstatefini() xfrmstateflush() xfrmstatedelete(x) __xfrmstatedelete(x) xfrmnatkeepalivestateupdated(x) scheduledelayedwork(natkeepalivework); rcubarrier(); netcompletefree(); netpassivedec(net); llistadd(&net->deferfreelist, &deferfreelist);
cleanupnet() [Round 2] rcubarrier(); netcompletefree() kmemcachefree(netcachep, net); natkeepalive_work() // on freed net
To prevent this, canceldelayedworksync() is replaced with disabledelayedworksync().
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31406.json",
"cna_assigner": "Linux"
}