CVE-2026-31680

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ipv6: flowlabel: defer exclusive option free until RCU teardown<br /> <br /> `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file<br /> RCU read-side lock and prints `fl-&gt;opt-&gt;opt_nflen` when an option block<br /> is present.<br /> <br /> Exclusive flowlabels currently free `fl-&gt;opt` as soon as `fl-&gt;users`<br /> drops to zero in `fl_release()`. However, the surrounding<br /> `struct ip6_flowlabel` remains visible in the global hash table until<br /> later garbage collection removes it and `fl_free_rcu()` finally tears it<br /> down.<br /> <br /> A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that<br /> early `kfree()` and dereference freed option state, triggering a crash<br /> in `ip6fl_seq_show()`.<br /> <br /> Fix this by keeping `fl-&gt;opt` alive until `fl_free_rcu()`. That matches<br /> the lifetime already required for the enclosing flowlabel while readers<br /> can still reach it under RCU.