DEBIAN-CVE-2026-31680
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection removes it and `fl_free_rcu()` finally tears it down. A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that early `kfree()` and dereference freed option state, triggering a crash in `ip6fl_seq_show()`. Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches the lifetime already required for the enclosing flowlabel while readers can still reach it under RCU.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | linux | 6.17.9-1, 6.12.63-1, 6.12.63-1 |
| Debian:13 | linux | 6.12.85-1, 6.12.73-1, 6.12.74-1 |
| Debian:12 | linux | 6.7.9-2, 6.8.11-1, 6.8.12-1~bpo12+1 |
| Debian:11 | linux | 5.16.7-2, 0, 5.10.103-1~bpo10+1 |
| Debian:11 | linux-6.1 | 6.1.158-1, 6.1.159-1, 6.1.162-1 |
| Debian | linux |
Timeline
- Apr 25, 2026 CVE Published
- May 2, 2026 CVE Updated