Debian and F5 issued security advisories for multiple Linux kernel vulnerabilities after disclosure of CVE-2026-31533, a flaw in the kernel net/tls subsystem. Google security research documentation describes the bug as a use-after-free in the -EBUSY error path of tls_do_encryption(), caused by a double decrement of the encrypt_pending sentinel and a double scatterlist restore, creating a condition that can corrupt kernel memory.
The vulnerability was reported as having been exploited as a zero-day against lts-6.12.77 and cos-121-18867.381.30, and the published kernelCTF material said the issue reproduced reliably in an exploit_repro workflow. The coordinated advisories indicate downstream impact across Linux-based products, with Debian shipping DSA 6355-1 for linux and F5 warning customers about multiple Linux kernel vulnerabilities that include the affected code base.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
A Google security-research pull request added a kernelCTF entry for CVE-2026-31533, describing a use-after-free in the Linux kernel net/tls subsystem. The reference says the flaw had reportedly been exploited as a zero-day on lts-6.12.77 and cos-121-18867.381.30 and reproduced reliably in the referenced exploit workflow.
F5 published advisory K000161821 covering multiple Linux kernel vulnerabilities. The reference shows the advisory was released on that date.
Debian issued security advisory DSA 6355-1 for the Linux kernel. The reference indicates a Linux security update was published by Debian on that date.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
my.f5.com
Open sourcegithub.com
Open sourcelists.debian.org
Open sourcesentinelone.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.