Description
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection removes it and `fl_free_rcu()` finally tears it down. A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that early `kfree()` and dereference freed option state, triggering a crash in `ip6fl_seq_show()`. Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches the lifetime already required for the enclosing flowlabel while readers can still reach it under RCU.
INFO
Published Date :
2026-04-25T08:46:56.807Z
Last Modified :
2026-04-27T14:05:00.799Z
Source :
Linux
AFFECTED PRODUCTS
The following products are affected by CVE-2026-31680 vulnerability.
| Vendors | Products |
|---|---|
| Linux |
|
REFERENCES
Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31680.
