CVE-2026-31429 | Linux Kernel up to 6.12.81/6.18.22/6.19.12 net skb_kfree_head allocation of resources

VDB-358298 · CVE-2026-31429 · WID-SEC-2026-1180 LINUX KERNEL UP TO 6.12.81/6.18.22/6.19.12 NET SKB_KFREE_HEAD ALLOCATION OF RESOURCES HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 5.3 $0-$5k 2.42+ Summaryinfo A vulnerability labeled as critical has been found in Linux Kernel up to 6.12.81/6.18.22/6.19.12. The affected element is the function skb_kfree_head of the component net. Such manipulation leads to allocation of resources. This vulnerability is listed as CVE-2026-31429. There is no available exploit. The affected component should be upgraded. Detailsinfo A vulnerability was found in Linux Kernel up to 6.12.81/6.18.22/6.19.12. It has been rated as critical. Affected by this issue is the function skb_kfree_head of the component net. The manipulation with an unknown input leads to a allocation of resources vulnerability. Using CWE to declare the problem leads to CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. The impact remains unknown. CVE summarizes: In the Linux kernel, the following vulnerability has been resolved: net: skb: fix cross-cache free of KFENCE-allocated skb head SKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2 value (e.g. 704 on x86_64) to avoid collisions with generic kmalloc bucket sizes. This ensures that skb_kfree_head() can reliably use skb_end_offset to distinguish skb heads allocated from skb_small_head_cache vs. generic kmalloc caches. However, when KFENCE is enabled, kfence_ksize() returns the exact requested allocation size instead of the slab bucket size. If a caller (e.g. bpf_test_init) allocates skb head data via kzalloc() and the requested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then slab_build_skb() -> ksize() returns that exact value. After subtracting skb_shared_info overhead, skb_end_offset ends up matching SKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free the object to skb_small_head_cache instead of back to the original kmalloc cache, resulting in a slab cross-cache free: kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected skbuff_small_head but got kmalloc-1k Fix this by always calling kfree(head) in skb_kfree_head(). This keeps the free path generic and avoids allocator-specific misclassification for KFENCE objects. The advisory is available at git.kernel.org. This vulnerability is handled as CVE-2026-31429 since 03/09/2026. Technical details are known, but there is no available exploit. Upgrading to version 6.12.82, 6.18.23 or 6.19.13 eliminates this vulnerability. Applying the patch 60313768a8edc7094435975587c00c2d7b834083/2d64618ea846d8d033477311f805ca487d6a6696/474e00b935db250cac320d10c1d3cf4e44b46721/0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version. The vulnerability is also documented in the vulnerability database at CERT Bund (WID-SEC-2026-1180). Affected Open Source Linux Kernel Productinfo Type Operating System Vendor Linux Name Kernel Version 6.12.0 6.12.1 6.12.2 6.12.3 6.12.4 6.12.5 6.12.6 6.12.7 6.12.8 6.12.9 6.12.10 6.12.11 6.12.12 6.12.13 6.12.14 6.12.15 6.12.16 6.12.17 6.12.18 6.12.19 6.12.20 6.12.21 6.12.22 6.12.23 6.12.24 6.12.25 6.12.26 6.12.27 6.12.28 6.12.29 6.12.30 6.12.31 6.12.32 6.12.33 6.12.34 6.12.35 6.12.36 6.12.37 6.12.38 6.12.39 6.12.40 6.12.41 6.12.42 6.12.43 6.12.44 6.12.45 6.12.46 6.12.47 6.12.48 6.12.49 6.12.50 6.12.51 6.12.52 6.12.53 6.12.54 6.12.55 6.12.56 6.12.57 6.12.58 6.12.59 6.12.60 6.12.61 6.12.62 6.12.63 6.12.64 6.12.65 6.12.66 6.12.67 6.12.68 6.12.69 6.12.70 6.12.71 6.12.72 6.12.73 6.12.74 6.12.75 6.12.76 6.12.77 6.12.78 6.12.79 6.12.80 6.12.81 6.18.0 6.18.1 6.18.2 6.18.3 6.18.4 6.18.5 6.18.6 6.18.7 6.18.8 6.18.9 6.18.10 6.18.11 6.18.12 6.18.13 6.18.14 6.18.15 6.18.16 6.18.17 6.18.18 6.18.19 6.18.20 6.18.21 6.18.22 6.19.0 6.19.1 6.19.2 6.19.3 6.19.4 6.19.5 6.19.6 6.19.7 6.19.8 6.19.9 6.19.10 6.19.11 6.19.12 License open-source Website Vendor: https://www.kernel.org/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 5.5 VulDB Meta Temp Score: 5.3 VulDB Base Score: 5.5 VulDB Temp Score: 5.3 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Allocation of resources CWE: CWE-770 / CWE-400 / CWE-404 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Partially Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: Kernel 6.12.82/6.18.23/6.19.13 Patch: 60313768a8edc7094435975587c00c2d7b834083/2d64618ea846d8d033477311f805ca487d6a6696/474e00b935db250cac320d10c1d3cf4e44b46721/0f42e3f4fe2a58394e37241d02d9ca6ab7b7d516 Timelineinfo 03/09/2026 CVE reserved 04/20/2026 +41 days Advisory disclosed 04/20/2026 +0 days VulDB entry created 04/20/2026 +0 days VulDB entry last update Sourcesinfo Vendor: kernel.org Advisory: git.kernel.org Status: Confirmed CVE: CVE-2026-31429 (🔒) GCVE (CVE): GCVE-0-2026-31429 GCVE (VulDB): GCVE-100-358298 CERT Bund: WID-SEC-2026-1180 - Linux Kernel: Mehrere Schwachstellen Entryinfo Created: 04/20/2026 12:37 Updated: 04/20/2026 14:00 Changes: 04/20/2026 12:37 (59), 04/20/2026 14:00 (7) Complete: 🔍 Cache ID: 99:789:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸