CVE-2026-23331

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected.<br /> <br /> Let&amp;#39;s say we bind() an UDP socket to the wildcard address with a<br /> non-zero port, connect() it to an address, and disconnect it from<br /> the address.<br /> <br /> bind() sets SOCK_BINDPORT_LOCK on sk-&gt;sk_userlocks (but not<br /> SOCK_BINDADDR_LOCK), and connect() calls udp_lib_hash4() to put<br /> the socket into the 4-tuple hash table.<br /> <br /> Then, __udp_disconnect() calls sk-&gt;sk_prot-&gt;rehash(sk).<br /> <br /> It computes a new hash based on the wildcard address and moves<br /> the socket to a new slot in the 4-tuple hash table, leaving a<br /> garbage in the chain that no packet hits.<br /> <br /> Let&amp;#39;s remove such a socket from 4-tuple hash table when disconnected.<br /> <br /> Note that udp_sk(sk)-&gt;udp_portaddr_hash needs to be udpated after<br /> udp_hash4_dec(hslot2) in udp_unhash4().