CVE-2026-31504

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fix fanout UAF in packet_release() via NETDEV_UP race<br /> <br /> `packet_release()` has a race window where `NETDEV_UP` can re-register a<br /> socket into a fanout group&amp;#39;s `arr[]` array. The re-registration is not<br /> cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout<br /> array.<br /> `packet_release()` does NOT zero `po-&gt;num` in its `bind_lock` section.<br /> After releasing `bind_lock`, `po-&gt;num` is still non-zero and `po-&gt;ifindex`<br /> still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`<br /> that already found the socket in `sklist` can re-register the hook.<br /> For fanout sockets, this re-registration calls `__fanout_link(sk, po)`<br /> which adds the socket back into `f-&gt;arr[]` and increments `f-&gt;num_members`,<br /> but does NOT increment `f-&gt;sk_ref`.<br /> <br /> The fix sets `po-&gt;num` to zero in `packet_release` while `bind_lock` is<br /> held to prevent NETDEV_UP from linking, preventing the race window.<br /> <br /> This bug was found following an additional audit with Claude Code based<br /> on CVE-2025-38617.