CVE-2026-31406

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()<br /> <br /> After cancel_delayed_work_sync() is called from<br /> xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining<br /> states via __xfrm_state_delete(), which calls<br /> xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work.<br /> <br /> The following is a simple race scenario:<br /> <br /> cpu0 cpu1<br /> <br /> cleanup_net() [Round 1]<br /> ops_undo_list()<br /> xfrm_net_exit()<br /> xfrm_nat_keepalive_net_fini()<br /> cancel_delayed_work_sync(nat_keepalive_work);<br /> xfrm_state_fini()<br /> xfrm_state_flush()<br /> xfrm_state_delete(x)<br /> __xfrm_state_delete(x)<br /> xfrm_nat_keepalive_state_updated(x)<br /> schedule_delayed_work(nat_keepalive_work);<br /> rcu_barrier();<br /> net_complete_free();<br /> net_passive_dec(net);<br /> llist_add(&amp;net-&gt;defer_free_list, &amp;defer_free_list);<br /> <br /> cleanup_net() [Round 2]<br /> rcu_barrier();<br /> net_complete_free()<br /> kmem_cache_free(net_cachep, net);<br /> nat_keepalive_work()<br /> // on freed net<br /> <br /> To prevent this, cancel_delayed_work_sync() is replaced with<br /> disable_delayed_work_sync().