CVE-2026-31700

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/packet: fix TOCTOU race on mmap&amp;#39;d vnet_hdr in tpacket_snd()<br /> <br /> In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points<br /> directly into the mmap&amp;#39;d TX ring buffer shared with userspace. The<br /> kernel validates the header via __packet_snd_vnet_parse() but then<br /> re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent<br /> userspace thread can modify the vnet_hdr fields between validation<br /> and use, bypassing all safety checks.<br /> <br /> The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr<br /> to a stack-local variable. All other vnet_hdr consumers in the kernel<br /> (tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX<br /> path is the only caller of virtio_net_hdr_to_skb() that reads directly<br /> from user-controlled shared memory.<br /> <br /> Fix this by copying vnet_hdr from the mmap&amp;#39;d ring buffer to a<br /> stack-local variable before validation and use, consistent with the<br /> approach used in packet_snd() and all other callers.