High

TOCTOU race in Linux kernel net/packet tpacket_snd() mmap'd vnet_hdr handling

IdentifiersCVE-2026-31700CWE-367

CVE-2026-31700 is a local Linux kernel vulnerability in the net/packet subsystem, specifically the AF_PACKET TPACKET transmit path in tpacket_snd() when PACKET_VNET_HDR is enabled. In the vulnerable path, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel first validates the virtio network header via __packet_snd_vnet_parse(), but later re-reads the header fields in virtio_net_hdr_to_skb() from the same user-controlled shared memory. Because the header is not copied to stable kernel memory before both operations, a concurrent userspace thread can modify vnet_hdr fields after validation but before use, creating a time-of-check to time-of-use race that bypasses the intended safety checks. The upstream fix copies vnet_hdr from the mmap'd ring buffer into a stack-local variable before validation and use, matching the already-safe behavior in packet_snd() and other kernel consumers such as tun.c, tap.c, and virtio_net.c.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local attacker with access to the affected packet socket path to bypass kernel validation of virtio network header fields by racing modifications between check and use. Published scoring indicates potential high impact to confidentiality, integrity, and availability. The practical consequence is unsafe kernel packet processing in the TPACKET TX path, which may enable further memory corruption or other kernel-level misuse depending on the manipulated header values and runtime conditions.

Mitigation

If you can’t patch tonight, do this now.

No complete workaround is documented in the provided content. Until patched, reduce exposure by restricting untrusted local users and processes from creating or using affected AF_PACKET/TPACKET transmit paths with PACKET_VNET_HDR enabled, and by limiting access to packet socket functionality and mmap'd TX ring buffer features where operationally feasible.

Remediation

Patch, then assume compromise.

Update to a Linux kernel release that includes the upstream fix for CVE-2026-31700. The fix changes tpacket_snd() to copy vnet_hdr from the mmap'd TX ring buffer into a stack-local variable before both validation and later use. Vendor advisories indicate fixed builds are available across multiple SUSE product lines, including kernel-default >= 5.14.21-150500.55.166.1 for multiple SLES 15 SP5 products, >= 6.4.0-150600.23.112.1 for multiple SLES 15 SP6 products, >= 6.4.0-150700.53.55.1 for multiple SLES 15 SP7 products, and >= 6.12.0-160000.33.1 for SLES 16.0, SUSE Linux Micro 6.2, and openSUSE Leap 16.0. Apply the relevant vendor kernel update and reboot into the patched kernel.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

bugzilla suseNews

Jun 4, 2026

1263882 - (CVE-2026-31700) VUL-0: CVE-2026-31700: kernel: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()

A Linux kernel TOCTOU race condition in net/packet tpacket_snd() when PACKET_VNET_HDR is enabled. The flaw arises because vnet_hdr is read directly from a mmap'd TX ring buffer shared with userspace, allowing modification between validation and use and bypassing safety checks.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-31700

NVD

nvd.nist.gov/vuln/detail/CVE-2026-31700

MITRE CWE · CWE-367

cwe.mitre.org

Patch

git.kernel.org/stable/c/28324a3b62d9ce7f9bdd65a8ce63f382041d1b27

Patch

git.kernel.org/stable/c/2c054e17d9d41f1020376806c7f750834ced4dc5

Patch

git.kernel.org/stable/c/3a1bf9116ea31470b89692585c3910dfe830dcdd

Patch

git.kernel.org/stable/c/48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b

Patch

git.kernel.org/stable/c/74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121