Vulnerability-Lookup

WID-SEC-W-2026-1088

Vulnerability from csaf_certbund - Published: 2026-04-13 22:00 - Updated: 2026-05-20 22:00

Summary

Linux Kernel: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Der Kernel stellt den Kern des Linux Betriebssystems dar.

Angriff: Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, darunter möglicherweise DoS-Angriffe, die Manipulation oder Offenlegung von Daten sowie die Umgehung von Sicherheitsmaßnahmen.

Betroffene Betriebssysteme: - Linux

CVE-2026-31414

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-31415

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-31416

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-31417

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-31418

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-31419

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-31420

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-31421

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-31422

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-31423

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-31424

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-31425

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-31426

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-31427

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-31428

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

References

32 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://lore.kernel.org/linux-cve-announce/	external
https://lore.kernel.org/linux-cve-announce/202604…	external
https://lore.kernel.org/linux-cve-announce/202604…	external
https://lore.kernel.org/linux-cve-announce/202604…	external
https://lore.kernel.org/linux-cve-announce/202604…	external
https://lore.kernel.org/linux-cve-announce/202604…	external
https://lore.kernel.org/linux-cve-announce/202604…	external
https://lore.kernel.org/linux-cve-announce/202604…	external
https://lore.kernel.org/linux-cve-announce/202604…	external
https://lore.kernel.org/linux-cve-announce/202604…	external
https://lore.kernel.org/linux-cve-announce/202604…	external
https://lore.kernel.org/linux-cve-announce/202604…	external
https://lore.kernel.org/linux-cve-announce/202604…	external
https://lore.kernel.org/linux-cve-announce/202604…	external
https://lore.kernel.org/linux-cve-announce/202604…	external
https://lore.kernel.org/linux-cve-announce/202604…	external
https://msrc.microsoft.com/update-guide/	external
https://lists.debian.org/debian-security-announce…	external
https://lists.debian.org/debian-lts-announce/2026…	external
https://lists.debian.org/debian-security-announce…	external
https://docs.cloud.google.com/container-optimized…	external
https://access.redhat.com/errata/RHSA-2026:13566	external
https://linux.oracle.com/errata/ELSA-2026-13566.html	external
https://errata.build.resf.org/RLSA-2026:13566	external
https://lists.debian.org/debian-security-announce…	external
https://access.redhat.com/errata/RHSA-2026:19521	external
https://ubuntu.com/security/notices/USN-8277-1	external
https://ubuntu.com/security/notices/USN-8278-1	external
https://ubuntu.com/security/notices/USN-8279-1	external
https://ubuntu.com/security/notices/USN-8289-1	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren, darunter m\u00f6glicherweise DoS-Angriffe, die Manipulation oder Offenlegung von Daten sowie die Umgehung von Sicherheitsma\u00dfnahmen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1088 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1088.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1088 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1088"
      },
      {
        "category": "external",
        "summary": "Kernel CVE Announce Mailingliste",
        "url": "https://lore.kernel.org/linux-cve-announce/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-31414",
        "url": "https://lore.kernel.org/linux-cve-announce/2026041308-CVE-2026-31414-90e7@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-31415",
        "url": "https://lore.kernel.org/linux-cve-announce/2026041310-CVE-2026-31415-f7e1@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-31416",
        "url": "https://lore.kernel.org/linux-cve-announce/2026041310-CVE-2026-31416-9c4a@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-31417",
        "url": "https://lore.kernel.org/linux-cve-announce/2026041310-CVE-2026-31417-d47b@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-31418",
        "url": "https://lore.kernel.org/linux-cve-announce/2026041311-CVE-2026-31418-e6b9@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-31419",
        "url": "https://lore.kernel.org/linux-cve-announce/2026041353-CVE-2026-31419-e176@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-31420",
        "url": "https://lore.kernel.org/linux-cve-announce/2026041355-CVE-2026-31420-f7b0@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-31421",
        "url": "https://lore.kernel.org/linux-cve-announce/2026041355-CVE-2026-31421-78d7@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-31422",
        "url": "https://lore.kernel.org/linux-cve-announce/2026041356-CVE-2026-31422-04eb@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-31423",
        "url": "https://lore.kernel.org/linux-cve-announce/2026041356-CVE-2026-31423-ed66@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-31424",
        "url": "https://lore.kernel.org/linux-cve-announce/2026041356-CVE-2026-31424-704f@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-31425",
        "url": "https://lore.kernel.org/linux-cve-announce/2026041357-CVE-2026-31425-40d3@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-31426",
        "url": "https://lore.kernel.org/linux-cve-announce/2026041357-CVE-2026-31426-bfb3@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-31427",
        "url": "https://lore.kernel.org/linux-cve-announce/2026041357-CVE-2026-31427-1afe@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-31428",
        "url": "https://lore.kernel.org/linux-cve-announce/2026041358-CVE-2026-31428-20a2@gregkh/"
      },
      {
        "category": "external",
        "summary": "Microsoft Security Update Guide vom 2026-04-14",
        "url": "https://msrc.microsoft.com/update-guide/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6238 vom 2026-05-04",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00148.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4561 vom 2026-05-02",
        "url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00005.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6243 vom 2026-05-04",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00154.html"
      },
      {
        "category": "external",
        "summary": "Container-Optimized OS release notes vom 2026-05-02",
        "url": "https://docs.cloud.google.com/container-optimized-os/docs/release-notes#May_01_2026"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:13566 vom 2026-05-05",
        "url": "https://access.redhat.com/errata/RHSA-2026:13566"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-13566 vom 2026-05-06",
        "url": "https://linux.oracle.com/errata/ELSA-2026-13566.html"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:13566 vom 2026-05-06",
        "url": "https://errata.build.resf.org/RLSA-2026:13566"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6253 vom 2026-05-08",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00164.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19521 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19521"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8277-1 vom 2026-05-20",
        "url": "https://ubuntu.com/security/notices/USN-8277-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8278-1 vom 2026-05-20",
        "url": "https://ubuntu.com/security/notices/USN-8278-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8279-1 vom 2026-05-20",
        "url": "https://ubuntu.com/security/notices/USN-8279-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8289-1 vom 2026-05-21",
        "url": "https://ubuntu.com/security/notices/USN-8289-1"
      }
    ],
    "source_lang": "en-US",
    "title": "Linux Kernel: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-20T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-21T07:57:09.808+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1088",
      "initial_release_date": "2026-04-13T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-13T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-04-14T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2026-05-03T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2026-05-04T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-05T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2026-05-06T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Rocky Enterprise Software Foundation aufgenommen"
        },
        {
          "date": "2026-05-10T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2026-05-19T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Red Hat und Ubuntu aufgenommen"
        },
        {
          "date": "2026-05-20T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        }
      ],
      "status": "final",
      "version": "9"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Google Container-Optimized OS",
            "product": {
              "name": "Google Container-Optimized OS",
              "product_id": "1607324",
              "product_identification_helper": {
                "cpe": "cpe:/o:google:container-optimized_os:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Google"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "azl3",
                "product": {
                  "name": "Microsoft Azure Linux azl3",
                  "product_id": "T049210",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:microsoft:azure_linux:azl3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source Linux Kernel",
            "product": {
              "name": "Open Source Linux Kernel",
              "product_id": "T052740",
              "product_identification_helper": {
                "cpe": "cpe:/o:linux:linux_kernel:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "RESF Rocky Linux",
            "product": {
              "name": "RESF Rocky Linux",
              "product_id": "T032255",
              "product_identification_helper": {
                "cpe": "cpe:/o:resf:rocky_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "RESF"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-31414",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T049210",
          "T004914",
          "1607324",
          "T052740",
          "T032255"
        ]
      },
      "release_date": "2026-04-13T22:00:00.000+00:00",
      "title": "CVE-2026-31414"
    },
    {
      "cve": "CVE-2026-31415",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T049210",
          "T004914",
          "1607324",
          "T052740",
          "T032255"
        ]
      },
      "release_date": "2026-04-13T22:00:00.000+00:00",
      "title": "CVE-2026-31415"
    },
    {
      "cve": "CVE-2026-31416",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T049210",
          "T004914",
          "1607324",
          "T052740",
          "T032255"
        ]
      },
      "release_date": "2026-04-13T22:00:00.000+00:00",
      "title": "CVE-2026-31416"
    },
    {
      "cve": "CVE-2026-31417",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T049210",
          "T004914",
          "1607324",
          "T052740",
          "T032255"
        ]
      },
      "release_date": "2026-04-13T22:00:00.000+00:00",
      "title": "CVE-2026-31417"
    },
    {
      "cve": "CVE-2026-31418",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T049210",
          "T004914",
          "1607324",
          "T052740",
          "T032255"
        ]
      },
      "release_date": "2026-04-13T22:00:00.000+00:00",
      "title": "CVE-2026-31418"
    },
    {
      "cve": "CVE-2026-31419",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T049210",
          "T004914",
          "1607324",
          "T052740",
          "T032255"
        ]
      },
      "release_date": "2026-04-13T22:00:00.000+00:00",
      "title": "CVE-2026-31419"
    },
    {
      "cve": "CVE-2026-31420",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T049210",
          "T004914",
          "1607324",
          "T052740",
          "T032255"
        ]
      },
      "release_date": "2026-04-13T22:00:00.000+00:00",
      "title": "CVE-2026-31420"
    },
    {
      "cve": "CVE-2026-31421",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T049210",
          "T004914",
          "1607324",
          "T052740",
          "T032255"
        ]
      },
      "release_date": "2026-04-13T22:00:00.000+00:00",
      "title": "CVE-2026-31421"
    },
    {
      "cve": "CVE-2026-31422",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T049210",
          "T004914",
          "1607324",
          "T052740",
          "T032255"
        ]
      },
      "release_date": "2026-04-13T22:00:00.000+00:00",
      "title": "CVE-2026-31422"
    },
    {
      "cve": "CVE-2026-31423",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T049210",
          "T004914",
          "1607324",
          "T052740",
          "T032255"
        ]
      },
      "release_date": "2026-04-13T22:00:00.000+00:00",
      "title": "CVE-2026-31423"
    },
    {
      "cve": "CVE-2026-31424",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T049210",
          "T004914",
          "1607324",
          "T052740",
          "T032255"
        ]
      },
      "release_date": "2026-04-13T22:00:00.000+00:00",
      "title": "CVE-2026-31424"
    },
    {
      "cve": "CVE-2026-31425",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T049210",
          "T004914",
          "1607324",
          "T052740",
          "T032255"
        ]
      },
      "release_date": "2026-04-13T22:00:00.000+00:00",
      "title": "CVE-2026-31425"
    },
    {
      "cve": "CVE-2026-31426",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T049210",
          "T004914",
          "1607324",
          "T052740",
          "T032255"
        ]
      },
      "release_date": "2026-04-13T22:00:00.000+00:00",
      "title": "CVE-2026-31426"
    },
    {
      "cve": "CVE-2026-31427",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T049210",
          "T004914",
          "1607324",
          "T052740",
          "T032255"
        ]
      },
      "release_date": "2026-04-13T22:00:00.000+00:00",
      "title": "CVE-2026-31427"
    },
    {
      "cve": "CVE-2026-31428",
      "product_status": {
        "known_affected": [
          "2951",
          "67646",
          "T000126",
          "T049210",
          "T004914",
          "1607324",
          "T052740",
          "T032255"
        ]
      },
      "release_date": "2026-04-13T22:00:00.000+00:00",
      "title": "CVE-2026-31428"
    }
  ]
}

CVE-2026-31414 (GCVE-0-2026-31414)

Vulnerability from cvelistv5 – Published: 2026-04-13 13:21 – Updated: 2026-05-11 22:08

Title

netfilter: nf_conntrack_expect: use expect->helper

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: use expect->helper Use expect->helper in ctnetlink and /proc to dump the helper name. Using nfct_help() without holding a reference to the master conntrack is unsafe. Use exp->master->helper in ctnetlink path if userspace does not provide an explicit helper when creating an expectation to retain the existing behaviour. The ctnetlink expectation path holds the reference on the master conntrack and nf_conntrack_expect lock and the nfnetlink glue path refers to the master ct that is attached to the skb.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/847cb7fe26c5ce5dc…
https://git.kernel.org/stable/c/e7ccaa0a62a8ff2be…
https://git.kernel.org/stable/c/4bd1b3d839172724b…
https://git.kernel.org/stable/c/b53294bff19e56ada…
https://git.kernel.org/stable/c/3dfd3f7712b5a800f…
https://git.kernel.org/stable/c/f01794106042ee27e…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: ea781f197d6a835cbb93a0bf88ee1696296ed8aa , < 847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781 (git) Affected: ea781f197d6a835cbb93a0bf88ee1696296ed8aa , < e7ccaa0a62a8ff2be5d521299ce79390c318d306 (git) Affected: ea781f197d6a835cbb93a0bf88ee1696296ed8aa , < 4bd1b3d839172724b33d8d02c5a4ff6a1c775417 (git) Affected: ea781f197d6a835cbb93a0bf88ee1696296ed8aa , < b53294bff19e56ada2f230ceb8b1ffde61cc3817 (git) Affected: ea781f197d6a835cbb93a0bf88ee1696296ed8aa , < 3dfd3f7712b5a800f2ba632179e9b738076a51f0 (git) Affected: ea781f197d6a835cbb93a0bf88ee1696296ed8aa , < f01794106042ee27e54af6fdf5b319a2fe3df94d (git)
Linux	Linux	Affected: 2.6.30 Unaffected: 0 , < 2.6.30 (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_conntrack_expect.c",
            "net/netfilter/nf_conntrack_helper.c",
            "net/netfilter/nf_conntrack_netlink.c",
            "net/netfilter/nf_conntrack_sip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781",
              "status": "affected",
              "version": "ea781f197d6a835cbb93a0bf88ee1696296ed8aa",
              "versionType": "git"
            },
            {
              "lessThan": "e7ccaa0a62a8ff2be5d521299ce79390c318d306",
              "status": "affected",
              "version": "ea781f197d6a835cbb93a0bf88ee1696296ed8aa",
              "versionType": "git"
            },
            {
              "lessThan": "4bd1b3d839172724b33d8d02c5a4ff6a1c775417",
              "status": "affected",
              "version": "ea781f197d6a835cbb93a0bf88ee1696296ed8aa",
              "versionType": "git"
            },
            {
              "lessThan": "b53294bff19e56ada2f230ceb8b1ffde61cc3817",
              "status": "affected",
              "version": "ea781f197d6a835cbb93a0bf88ee1696296ed8aa",
              "versionType": "git"
            },
            {
              "lessThan": "3dfd3f7712b5a800f2ba632179e9b738076a51f0",
              "status": "affected",
              "version": "ea781f197d6a835cbb93a0bf88ee1696296ed8aa",
              "versionType": "git"
            },
            {
              "lessThan": "f01794106042ee27e54af6fdf5b319a2fe3df94d",
              "status": "affected",
              "version": "ea781f197d6a835cbb93a0bf88ee1696296ed8aa",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_conntrack_expect.c",
            "net/netfilter/nf_conntrack_helper.c",
            "net/netfilter/nf_conntrack_netlink.c",
            "net/netfilter/nf_conntrack_sip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.30"
            },
            {
              "lessThan": "2.6.30",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_expect: use expect-\u003ehelper\n\nUse expect-\u003ehelper in ctnetlink and /proc to dump the helper name.\nUsing nfct_help() without holding a reference to the master conntrack\nis unsafe.\n\nUse exp-\u003emaster-\u003ehelper in ctnetlink path if userspace does not provide\nan explicit helper when creating an expectation to retain the existing\nbehaviour. The ctnetlink expectation path holds the reference on the\nmaster conntrack and nf_conntrack_expect lock and the nfnetlink glue\npath refers to the master ct that is attached to the skb."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:08:14.965Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7ccaa0a62a8ff2be5d521299ce79390c318d306"
        },
        {
          "url": "https://git.kernel.org/stable/c/4bd1b3d839172724b33d8d02c5a4ff6a1c775417"
        },
        {
          "url": "https://git.kernel.org/stable/c/b53294bff19e56ada2f230ceb8b1ffde61cc3817"
        },
        {
          "url": "https://git.kernel.org/stable/c/3dfd3f7712b5a800f2ba632179e9b738076a51f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/f01794106042ee27e54af6fdf5b319a2fe3df94d"
        }
      ],
      "title": "netfilter: nf_conntrack_expect: use expect-\u003ehelper",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31414",
    "datePublished": "2026-04-13T13:21:02.592Z",
    "dateReserved": "2026-03-09T15:48:24.087Z",
    "dateUpdated": "2026-05-11T22:08:14.965Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31415 (GCVE-0-2026-31415)

Vulnerability from cvelistv5 – Published: 2026-04-13 13:21 – Updated: 2026-05-11 22:08

Title

ipv6: avoid overflows in ip6_datagram_send_ctl()

Summary

In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid overflows in ip6_datagram_send_ctl() Yiming Qian reported : <quote> I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via `skb_under_panic()` (local DoS). The core issue is a mismatch between: - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type `__u16`) and - a pointer to the *last* provided destination-options header (`opt->dst1opt`) when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided. - `include/net/ipv6.h`: - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible). (lines 291-307, especially 298) - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`: - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen` without rejecting duplicates. (lines 909-933) - `net/ipv6/ip6_output.c:__ip6_append_data()`: - Uses `opt->opt_flen + opt->opt_nflen` to compute header sizes/headroom decisions. (lines 1448-1466, especially 1463-1465) - `net/ipv6/ip6_output.c:__ip6_make_skb()`: - Calls `ipv6_push_frag_opts()` if `opt->opt_flen` is non-zero. (lines 1930-1934) - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`: - Push size comes from `ipv6_optlen(opt->dst1opt)` (based on the pointed-to header). (lines 1179-1185 and 1206-1211) 1. `opt_flen` is a 16-bit accumulator: - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`. 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs and increments `opt_flen` each time: - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`: - It computes `len = ((hdr->hdrlen + 1) << 3);` - It checks `CAP_NET_RAW` using `ns_capable(net->user_ns, CAP_NET_RAW)`. (line 922) - Then it does: - `opt->opt_flen += len;` (line 927) - `opt->dst1opt = hdr;` (line 928) There is no duplicate rejection here (unlike the legacy `IPV6_2292DSTOPTS` path which rejects duplicates at `net/ipv6/datagram.c:901-904`). If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps while `dst1opt` still points to a large (2048-byte) destination-options header. In the attached PoC (`poc.c`): - 32 cmsgs with `hdrlen=255` => `len = (255+1)*8 = 2048` - 1 cmsg with `hdrlen=0` => `len = 8` - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8` - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header. 3. The transmit path sizes headers using the wrapped `opt_flen`: - In `net/ipv6/ip6_output.c:1463-1465`: - `headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen + opt->opt_nflen : 0) + ...;` With wrapped `opt_flen`, `headersize`/headroom decisions underestimate what will be pushed later. 4. When building the final skb, the actual push length comes from `dst1opt` and is not limited by wrapped `opt_flen`: - In `net/ipv6/ip6_output.c:1930-1934`: - `if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);` - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes `dst1opt` via `ipv6_push_exthdr()`. - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does: - `skb_push(skb, ipv6_optlen(opt));` - `memcpy(h, opt, ipv6_optlen(opt));` With insufficient headroom, `skb_push()` underflows and triggers `skb_under_panic()` -> `BUG()`: - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`) - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`) - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target netns user namespace (`ns_capable(net->user_ns, CAP_NET_RAW)`). - Root (or any task with `CAP_NET_RAW`) can trigger this without user namespaces. - An unprivileged `uid=1000` user can trigger this if unprivileged user namespaces are enabled and it can create a userns+netns to obtain namespaced `CAP_NET_RAW` (the attached PoC does this). - Local denial of service: kernel BUG/panic (system crash). - ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/2dbfb003bbf3fc0e9…
https://git.kernel.org/stable/c/4082f9984a6948291…
https://git.kernel.org/stable/c/0bdaf54d3aaddfe8d…
https://git.kernel.org/stable/c/5e4ee5dbea134e925…
https://git.kernel.org/stable/c/63fda74885555e6bd…
https://git.kernel.org/stable/c/9ed81d692758dfb94…
https://git.kernel.org/stable/c/872b74900d5daa370…
https://git.kernel.org/stable/c/4e453375561fc6082…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 2dbfb003bbf3fc0e94f07efefab0ebcf83029a2a (git) Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 4082f9984a694829153115d28c956a3534f52f29 (git) Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f (git) Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 5e4ee5dbea134e9257f205e31a96040bed71e83f (git) Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 63fda74885555e6bd1623b5d811feec998740ba4 (git) Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 9ed81d692758dfb9471d7799b24bfa7a08224c31 (git) Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 872b74900d5daa37067ac676d9001bb929fc6a2a (git) Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 4e453375561fc60820e6b9d8ebeb6b3ee177d42e (git)
Linux	Linux	Affected: 2.6.14 Unaffected: 0 , < 2.6.14 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/datagram.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2dbfb003bbf3fc0e94f07efefab0ebcf83029a2a",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            },
            {
              "lessThan": "4082f9984a694829153115d28c956a3534f52f29",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            },
            {
              "lessThan": "0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            },
            {
              "lessThan": "5e4ee5dbea134e9257f205e31a96040bed71e83f",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            },
            {
              "lessThan": "63fda74885555e6bd1623b5d811feec998740ba4",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            },
            {
              "lessThan": "9ed81d692758dfb9471d7799b24bfa7a08224c31",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            },
            {
              "lessThan": "872b74900d5daa37067ac676d9001bb929fc6a2a",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            },
            {
              "lessThan": "4e453375561fc60820e6b9d8ebeb6b3ee177d42e",
              "status": "affected",
              "version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/datagram.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.14"
            },
            {
              "lessThan": "2.6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid overflows in ip6_datagram_send_ctl()\n\nYiming Qian reported :\n\u003cquote\u003e\n I believe I found a locally triggerable kernel bug in the IPv6 sendmsg\n ancillary-data path that can panic the kernel via `skb_under_panic()`\n (local DoS).\n\n The core issue is a mismatch between:\n\n - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type\n `__u16`) and\n - a pointer to the *last* provided destination-options header (`opt-\u003edst1opt`)\n\n when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided.\n\n - `include/net/ipv6.h`:\n   - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible).\n (lines 291-307, especially 298)\n - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`:\n   - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen`\n without rejecting duplicates. (lines 909-933)\n - `net/ipv6/ip6_output.c:__ip6_append_data()`:\n   - Uses `opt-\u003eopt_flen + opt-\u003eopt_nflen` to compute header\n sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)\n - `net/ipv6/ip6_output.c:__ip6_make_skb()`:\n   - Calls `ipv6_push_frag_opts()` if `opt-\u003eopt_flen` is non-zero.\n (lines 1930-1934)\n - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`:\n   - Push size comes from `ipv6_optlen(opt-\u003edst1opt)` (based on the\n pointed-to header). (lines 1179-1185 and 1206-1211)\n\n 1. `opt_flen` is a 16-bit accumulator:\n\n - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`.\n\n 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs\n and increments `opt_flen` each time:\n\n - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`:\n   - It computes `len = ((hdr-\u003ehdrlen + 1) \u003c\u003c 3);`\n   - It checks `CAP_NET_RAW` using `ns_capable(net-\u003euser_ns,\n CAP_NET_RAW)`. (line 922)\n   - Then it does:\n     - `opt-\u003eopt_flen += len;` (line 927)\n     - `opt-\u003edst1opt = hdr;` (line 928)\n\n There is no duplicate rejection here (unlike the legacy\n `IPV6_2292DSTOPTS` path which rejects duplicates at\n `net/ipv6/datagram.c:901-904`).\n\n If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps\n while `dst1opt` still points to a large (2048-byte)\n destination-options header.\n\n In the attached PoC (`poc.c`):\n\n - 32 cmsgs with `hdrlen=255` =\u003e `len = (255+1)*8 = 2048`\n - 1 cmsg with `hdrlen=0` =\u003e `len = 8`\n - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8`\n - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header.\n\n 3. The transmit path sizes headers using the wrapped `opt_flen`:\n\n- In `net/ipv6/ip6_output.c:1463-1465`:\n  - `headersize = sizeof(struct ipv6hdr) + (opt ? opt-\u003eopt_flen +\n opt-\u003eopt_nflen : 0) + ...;`\n\n With wrapped `opt_flen`, `headersize`/headroom decisions underestimate\n what will be pushed later.\n\n 4. When building the final skb, the actual push length comes from\n `dst1opt` and is not limited by wrapped `opt_flen`:\n\n - In `net/ipv6/ip6_output.c:1930-1934`:\n   - `if (opt-\u003eopt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);`\n - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes\n `dst1opt` via `ipv6_push_exthdr()`.\n - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does:\n   - `skb_push(skb, ipv6_optlen(opt));`\n   - `memcpy(h, opt, ipv6_optlen(opt));`\n\n With insufficient headroom, `skb_push()` underflows and triggers\n `skb_under_panic()` -\u003e `BUG()`:\n\n - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`)\n - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`)\n\n - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target\n netns user namespace (`ns_capable(net-\u003euser_ns, CAP_NET_RAW)`).\n - Root (or any task with `CAP_NET_RAW`) can trigger this without user\n namespaces.\n - An unprivileged `uid=1000` user can trigger this if unprivileged\n user namespaces are enabled and it can create a userns+netns to obtain\n namespaced `CAP_NET_RAW` (the attached PoC does this).\n\n - Local denial of service: kernel BUG/panic (system crash).\n -\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:08:16.113Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2dbfb003bbf3fc0e94f07efefab0ebcf83029a2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/4082f9984a694829153115d28c956a3534f52f29"
        },
        {
          "url": "https://git.kernel.org/stable/c/0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e4ee5dbea134e9257f205e31a96040bed71e83f"
        },
        {
          "url": "https://git.kernel.org/stable/c/63fda74885555e6bd1623b5d811feec998740ba4"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ed81d692758dfb9471d7799b24bfa7a08224c31"
        },
        {
          "url": "https://git.kernel.org/stable/c/872b74900d5daa37067ac676d9001bb929fc6a2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e453375561fc60820e6b9d8ebeb6b3ee177d42e"
        }
      ],
      "title": "ipv6: avoid overflows in ip6_datagram_send_ctl()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31415",
    "datePublished": "2026-04-13T13:21:03.284Z",
    "dateReserved": "2026-03-09T15:48:24.087Z",
    "dateUpdated": "2026-05-11T22:08:16.113Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31416 (GCVE-0-2026-31416)

Vulnerability from cvelistv5 – Published: 2026-04-13 13:21 – Updated: 2026-05-11 22:08

Title

netfilter: nfnetlink_log: account for netlink header size

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: account for netlink header size This is a followup to an old bug fix: NLMSG_DONE needs to account for the netlink header size, not just the attribute size. This can result in a WARN splat + drop of the netlink message, but other than this there are no ill effects.

Severity ?

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/4ec216410fac9de83…
https://git.kernel.org/stable/c/09883bf257f4243ed…
https://git.kernel.org/stable/c/761b45c661af48da6…
https://git.kernel.org/stable/c/607245c4dbb86d9a1…
https://git.kernel.org/stable/c/6b419700e459fbf70…
https://git.kernel.org/stable/c/88a8f56e6276f616b…
https://git.kernel.org/stable/c/f08ffa3e1c8e36b61…
https://git.kernel.org/stable/c/6d52a4a0520a6696b…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < 4ec216410fac9de83c99177a160ebb8d42fad075 (git) Affected: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < 09883bf257f4243ed5a1fd35078ec6f0d0f3696a (git) Affected: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < 761b45c661af48da6a065868d59ab1e1f64fd9b6 (git) Affected: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < 607245c4dbb86d9a10dd8388da0fb82170a99b61 (git) Affected: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < 6b419700e459fbf707ca1543b7c1b57a60fedb73 (git) Affected: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < 88a8f56e6276f616baad4274c6b8e4683e26e520 (git) Affected: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < f08ffa3e1c8e36b6131f69c5eb23700c28cbd262 (git) Affected: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < 6d52a4a0520a6696bdde51caa11f2d6821cd0c01 (git) Affected: 3a758a2b78da2f49f7165678faf999e946a0c4b5 (git) Affected: 131172845aa2c804ffa9423455aee585061ea35e (git) Affected: b1fef6b81871a396f3b8702077333e769673c87b (git) Affected: add9183d993c12fb61ce0a674a424341d5be5b36 (git)
Linux	Linux	Affected: 3.18 Unaffected: 0 , < 3.18 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nfnetlink_log.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4ec216410fac9de83c99177a160ebb8d42fad075",
              "status": "affected",
              "version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
              "versionType": "git"
            },
            {
              "lessThan": "09883bf257f4243ed5a1fd35078ec6f0d0f3696a",
              "status": "affected",
              "version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
              "versionType": "git"
            },
            {
              "lessThan": "761b45c661af48da6a065868d59ab1e1f64fd9b6",
              "status": "affected",
              "version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
              "versionType": "git"
            },
            {
              "lessThan": "607245c4dbb86d9a10dd8388da0fb82170a99b61",
              "status": "affected",
              "version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
              "versionType": "git"
            },
            {
              "lessThan": "6b419700e459fbf707ca1543b7c1b57a60fedb73",
              "status": "affected",
              "version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
              "versionType": "git"
            },
            {
              "lessThan": "88a8f56e6276f616baad4274c6b8e4683e26e520",
              "status": "affected",
              "version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
              "versionType": "git"
            },
            {
              "lessThan": "f08ffa3e1c8e36b6131f69c5eb23700c28cbd262",
              "status": "affected",
              "version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
              "versionType": "git"
            },
            {
              "lessThan": "6d52a4a0520a6696bdde51caa11f2d6821cd0c01",
              "status": "affected",
              "version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3a758a2b78da2f49f7165678faf999e946a0c4b5",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "131172845aa2c804ffa9423455aee585061ea35e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b1fef6b81871a396f3b8702077333e769673c87b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "add9183d993c12fb61ce0a674a424341d5be5b36",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nfnetlink_log.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.18"
            },
            {
              "lessThan": "3.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.10.61",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.14.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.17.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: account for netlink header size\n\nThis is a followup to an old bug fix: NLMSG_DONE needs to account\nfor the netlink header size, not just the attribute size.\n\nThis can result in a WARN splat + drop of the netlink message,\nbut other than this there are no ill effects."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:08:17.264Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4ec216410fac9de83c99177a160ebb8d42fad075"
        },
        {
          "url": "https://git.kernel.org/stable/c/09883bf257f4243ed5a1fd35078ec6f0d0f3696a"
        },
        {
          "url": "https://git.kernel.org/stable/c/761b45c661af48da6a065868d59ab1e1f64fd9b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/607245c4dbb86d9a10dd8388da0fb82170a99b61"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b419700e459fbf707ca1543b7c1b57a60fedb73"
        },
        {
          "url": "https://git.kernel.org/stable/c/88a8f56e6276f616baad4274c6b8e4683e26e520"
        },
        {
          "url": "https://git.kernel.org/stable/c/f08ffa3e1c8e36b6131f69c5eb23700c28cbd262"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d52a4a0520a6696bdde51caa11f2d6821cd0c01"
        }
      ],
      "title": "netfilter: nfnetlink_log: account for netlink header size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31416",
    "datePublished": "2026-04-13T13:21:03.974Z",
    "dateReserved": "2026-03-09T15:48:24.087Z",
    "dateUpdated": "2026-05-11T22:08:17.264Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31417 (GCVE-0-2026-31417)

Vulnerability from cvelistv5 – Published: 2026-04-13 13:21 – Updated: 2026-05-11 22:08

Title

net/x25: Fix overflow when accumulating packets

Summary

In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix overflow when accumulating packets Add a check to ensure that `x25_sock.fraglen` does not overflow. The `fraglen` also needs to be resetted when purging `fragment_queue` in `x25_clear_queues()`.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/96fc16370b0bceb28…
https://git.kernel.org/stable/c/798d613afb64b01a2…
https://git.kernel.org/stable/c/6e568835ea54a3e1d…
https://git.kernel.org/stable/c/1734bd85c5e0a7a80…
https://git.kernel.org/stable/c/4e2d1bcef78d21247…
https://git.kernel.org/stable/c/8c92969c197b91c13…
https://git.kernel.org/stable/c/f953f11ccf4afe6fe…
https://git.kernel.org/stable/c/a1822cb524e89b4cd…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 96fc16370b0bceb289c7e0479bd0540b81e257aa (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 798d613afb64b01a203f448fb0f43c37c6afe79d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6e568835ea54a3e1d08e310e34f95d434e739477 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1734bd85c5e0a7a801295b729efb56b009cb8fc3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4e2d1bcef78d21247fe8fef13bc7ed95885df2b5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8c92969c197b91c134be27dc3afb64ab468853a9 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f953f11ccf4afe6feb635c08145f4240d9a6b544 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a1822cb524e89b4cd2cf0b82e484a2335496a6d9 (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/x25/x25_in.c",
            "net/x25/x25_subr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "96fc16370b0bceb289c7e0479bd0540b81e257aa",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "798d613afb64b01a203f448fb0f43c37c6afe79d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6e568835ea54a3e1d08e310e34f95d434e739477",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1734bd85c5e0a7a801295b729efb56b009cb8fc3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4e2d1bcef78d21247fe8fef13bc7ed95885df2b5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8c92969c197b91c134be27dc3afb64ab468853a9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f953f11ccf4afe6feb635c08145f4240d9a6b544",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a1822cb524e89b4cd2cf0b82e484a2335496a6d9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/x25/x25_in.c",
            "net/x25/x25_subr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/x25: Fix overflow when accumulating packets\n\nAdd a check to ensure that `x25_sock.fraglen` does not overflow.\n\nThe `fraglen` also needs to be resetted when purging `fragment_queue` in\n`x25_clear_queues()`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:08:18.396Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/96fc16370b0bceb289c7e0479bd0540b81e257aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/798d613afb64b01a203f448fb0f43c37c6afe79d"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e568835ea54a3e1d08e310e34f95d434e739477"
        },
        {
          "url": "https://git.kernel.org/stable/c/1734bd85c5e0a7a801295b729efb56b009cb8fc3"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e2d1bcef78d21247fe8fef13bc7ed95885df2b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c92969c197b91c134be27dc3afb64ab468853a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f953f11ccf4afe6feb635c08145f4240d9a6b544"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1822cb524e89b4cd2cf0b82e484a2335496a6d9"
        }
      ],
      "title": "net/x25: Fix overflow when accumulating packets",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31417",
    "datePublished": "2026-04-13T13:21:04.638Z",
    "dateReserved": "2026-03-09T15:48:24.087Z",
    "dateUpdated": "2026-05-11T22:08:18.396Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31418 (GCVE-0-2026-31418)

Vulnerability from cvelistv5 – Published: 2026-04-13 13:21 – Updated: 2026-05-11 22:08

Title

netfilter: ipset: drop logically empty buckets in mtype_del

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: drop logically empty buckets in mtype_del mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots. Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further.

Severity ?

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/c098ff857e7ca9235…
https://git.kernel.org/stable/c/58f3a14826d4e6b0d…
https://git.kernel.org/stable/c/ad92ee87462f9a306…
https://git.kernel.org/stable/c/6cea34d7ec6829b62…
https://git.kernel.org/stable/c/b7eef00f08b92b0b9…
https://git.kernel.org/stable/c/68ca0eea0af02bed3…
https://git.kernel.org/stable/c/ceacaa76f221a6577…
https://git.kernel.org/stable/c/9862ef9ab0a116c6d…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < c098ff857e7ca923539164af5b3c2fe3e8f8afaf (git) Affected: 8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < 58f3a14826d4e6b0d5421f1a64be280b48601ea2 (git) Affected: 8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb (git) Affected: 8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < 6cea34d7ec6829b62f521a37a287f670144a2233 (git) Affected: 8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < b7eef00f08b92b0b9efe8ae0df6d0005e6199323 (git) Affected: 8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < 68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4 (git) Affected: 8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < ceacaa76f221a6577aba945bb8873c2e640aeba4 (git) Affected: 8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < 9862ef9ab0a116c6dca98842aab7de13a252ae02 (git) Affected: 6c717726f341fd8f39a3ec2dcf5d98d9d28a2769 (git) Affected: d2997d64dfa65082236bca1efd596b6c935daf5e (git)
Linux	Linux	Affected: 5.6 Unaffected: 0 , < 5.6 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipset/ip_set_hash_gen.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c098ff857e7ca923539164af5b3c2fe3e8f8afaf",
              "status": "affected",
              "version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
              "versionType": "git"
            },
            {
              "lessThan": "58f3a14826d4e6b0d5421f1a64be280b48601ea2",
              "status": "affected",
              "version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
              "versionType": "git"
            },
            {
              "lessThan": "ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb",
              "status": "affected",
              "version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
              "versionType": "git"
            },
            {
              "lessThan": "6cea34d7ec6829b62f521a37a287f670144a2233",
              "status": "affected",
              "version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
              "versionType": "git"
            },
            {
              "lessThan": "b7eef00f08b92b0b9efe8ae0df6d0005e6199323",
              "status": "affected",
              "version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
              "versionType": "git"
            },
            {
              "lessThan": "68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4",
              "status": "affected",
              "version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
              "versionType": "git"
            },
            {
              "lessThan": "ceacaa76f221a6577aba945bb8873c2e640aeba4",
              "status": "affected",
              "version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
              "versionType": "git"
            },
            {
              "lessThan": "9862ef9ab0a116c6dca98842aab7de13a252ae02",
              "status": "affected",
              "version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6c717726f341fd8f39a3ec2dcf5d98d9d28a2769",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d2997d64dfa65082236bca1efd596b6c935daf5e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipset/ip_set_hash_gen.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: drop logically empty buckets in mtype_del\n\nmtype_del() counts empty slots below n-\u003epos in k, but it only drops the\nbucket when both n-\u003epos and k are zero. This misses buckets whose live\nentries have all been removed while n-\u003epos still points past deleted slots.\n\nTreat a bucket as empty when all positions below n-\u003epos are unused and\nrelease it directly instead of shrinking it further."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:08:19.522Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c098ff857e7ca923539164af5b3c2fe3e8f8afaf"
        },
        {
          "url": "https://git.kernel.org/stable/c/58f3a14826d4e6b0d5421f1a64be280b48601ea2"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/6cea34d7ec6829b62f521a37a287f670144a2233"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7eef00f08b92b0b9efe8ae0df6d0005e6199323"
        },
        {
          "url": "https://git.kernel.org/stable/c/68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/ceacaa76f221a6577aba945bb8873c2e640aeba4"
        },
        {
          "url": "https://git.kernel.org/stable/c/9862ef9ab0a116c6dca98842aab7de13a252ae02"
        }
      ],
      "title": "netfilter: ipset: drop logically empty buckets in mtype_del",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31418",
    "datePublished": "2026-04-13T13:21:05.316Z",
    "dateReserved": "2026-03-09T15:48:24.087Z",
    "dateUpdated": "2026-05-11T22:08:19.522Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31419 (GCVE-0-2026-31419)

Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-05-11 22:08

Title

net: bonding: fix use-after-free in bond_xmit_broadcast()

Summary

In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bond_xmit_broadcast() bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is "last" mid-loop. This causes the original skb to be double-consumed (double-freed). Replace the racy bond_is_last_slave() check with a simple index comparison (i + 1 == slaves_count) against the pre-snapshot slave count taken via READ_ONCE() before the loop. This preserves the zero-copy optimization for the last slave while making the "last" determination stable against concurrent list mutations. The UAF can trigger the following crash: ================================================================== BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr ffff888100ef8d40 by task exploit/147 CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334) bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838) ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136) ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250) ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> Allocated by task 147: Freed by task 147: The buggy address belongs to the object at ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 192 bytes inside of freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60) Memory state around the buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

4 references

URL	Tags
https://git.kernel.org/stable/c/3453882f36c40d233…
https://git.kernel.org/stable/c/d4cc7e4c80b1634c7…
https://git.kernel.org/stable/c/f5b94654a4a19891a…
https://git.kernel.org/stable/c/2884bf72fb8f03409…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 4e5bd03ae34652cd932ab4c91c71c511793df75c , < 3453882f36c40d2339267093676585a89808a73d (git) Affected: 4e5bd03ae34652cd932ab4c91c71c511793df75c , < d4cc7e4c80b1634c7b1497574a2fdb18df6c026c (git) Affected: 4e5bd03ae34652cd932ab4c91c71c511793df75c , < f5b94654a4a19891a8108d66ef166de6c028c6cd (git) Affected: 4e5bd03ae34652cd932ab4c91c71c511793df75c , < 2884bf72fb8f03409e423397319205de48adca16 (git) Affected: 20949c3816463e97c6f8fe84c0280c7e5ae83a8d (git) Affected: f1d206181f19b00b275b258fea1418718a2f4173 (git) Affected: c1f1691ef84fa6d38fa5e5148eca073145e97ffa (git)
Linux	Linux	Affected: 5.17 Unaffected: 0 , < 5.17 (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/bonding/bond_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3453882f36c40d2339267093676585a89808a73d",
              "status": "affected",
              "version": "4e5bd03ae34652cd932ab4c91c71c511793df75c",
              "versionType": "git"
            },
            {
              "lessThan": "d4cc7e4c80b1634c7b1497574a2fdb18df6c026c",
              "status": "affected",
              "version": "4e5bd03ae34652cd932ab4c91c71c511793df75c",
              "versionType": "git"
            },
            {
              "lessThan": "f5b94654a4a19891a8108d66ef166de6c028c6cd",
              "status": "affected",
              "version": "4e5bd03ae34652cd932ab4c91c71c511793df75c",
              "versionType": "git"
            },
            {
              "lessThan": "2884bf72fb8f03409e423397319205de48adca16",
              "status": "affected",
              "version": "4e5bd03ae34652cd932ab4c91c71c511793df75c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "20949c3816463e97c6f8fe84c0280c7e5ae83a8d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f1d206181f19b00b275b258fea1418718a2f4173",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c1f1691ef84fa6d38fa5e5148eca073145e97ffa",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/bonding/bond_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.94",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.16.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix use-after-free in bond_xmit_broadcast()\n\nbond_xmit_broadcast() reuses the original skb for the last slave\n(determined by bond_is_last_slave()) and clones it for others.\nConcurrent slave enslave/release can mutate the slave list during\nRCU-protected iteration, changing which slave is \"last\" mid-loop.\nThis causes the original skb to be double-consumed (double-freed).\n\nReplace the racy bond_is_last_slave() check with a simple index\ncomparison (i + 1 == slaves_count) against the pre-snapshot slave\ncount taken via READ_ONCE() before the loop.  This preserves the\nzero-copy optimization for the last slave while making the \"last\"\ndetermination stable against concurrent list mutations.\n\nThe UAF can trigger the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in skb_clone\nRead of size 8 at addr ffff888100ef8d40 by task exploit/147\n\nCPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl (lib/dump_stack.c:123)\n print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n kasan_report (mm/kasan/report.c:597)\n skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)\n dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)\n __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)\n ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)\n ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)\n ip6_output (net/ipv6/ip6_output.c:250)\n ip6_send_skb (net/ipv6/ip6_output.c:1985)\n udp_v6_send_skb (net/ipv6/udp.c:1442)\n udpv6_sendmsg (net/ipv6/udp.c:1733)\n __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)\n __x64_sys_sendto (net/socket.c:2209)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n \u003c/TASK\u003e\n\nAllocated by task 147:\n\nFreed by task 147:\n\nThe buggy address belongs to the object at ffff888100ef8c80\n which belongs to the cache skbuff_head_cache of size 224\nThe buggy address is located 192 bytes inside of\n freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)\n\nMemory state around the buggy address:\n ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003effff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n                                                    ^\n ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb\n ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n=================================================================="
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:08:20.680Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3453882f36c40d2339267093676585a89808a73d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4cc7e4c80b1634c7b1497574a2fdb18df6c026c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5b94654a4a19891a8108d66ef166de6c028c6cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/2884bf72fb8f03409e423397319205de48adca16"
        }
      ],
      "title": "net: bonding: fix use-after-free in bond_xmit_broadcast()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31419",
    "datePublished": "2026-04-13T13:40:23.279Z",
    "dateReserved": "2026-03-09T15:48:24.088Z",
    "dateUpdated": "2026-05-11T22:08:20.680Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31420 (GCVE-0-2026-31420)

Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-05-11 22:08

Title

bridge: mrp: reject zero test interval to avoid OOM panic

Summary

In the Linux kernel, the following vulnerability has been resolved: bridge: mrp: reject zero test interval to avoid OOM panic br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied interval value from netlink without validation. When interval is 0, usecs_to_jiffies(0) yields 0, causing the delayed work (br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule itself with zero delay. This creates a tight loop on system_percpu_wq that allocates and transmits MRP test frames at maximum rate, exhausting all system memory and causing a kernel panic via OOM deadlock. The same zero-interval issue applies to br_mrp_start_in_test_parse() for interconnect test frames. Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both IFLA_BRIDGE_MRP_START_TEST_INTERVAL and IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the netlink attribute parsing layer before the value ever reaches the workqueue scheduling code. This is consistent with how other bridge subsystems (br_fdb, br_mst) enforce range constraints on netlink attributes.

Severity ?

No CVSS data available.

Assigner

Linux

References

2 references

URL	Tags
https://git.kernel.org/stable/c/c9bc352f716d1bebf…
https://git.kernel.org/stable/c/fa6e24963342de437…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 20f6a05ef63594feb0c6dfbd629da0448b43124d , < c9bc352f716d1bebfe43354bce539ec2d0223b30 (git) Affected: 20f6a05ef63594feb0c6dfbd629da0448b43124d , < fa6e24963342de4370e3a3c9af41e38277b74cf3 (git)
Linux	Linux	Affected: 5.8 Unaffected: 0 , < 5.8 (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bridge/br_mrp_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c9bc352f716d1bebfe43354bce539ec2d0223b30",
              "status": "affected",
              "version": "20f6a05ef63594feb0c6dfbd629da0448b43124d",
              "versionType": "git"
            },
            {
              "lessThan": "fa6e24963342de4370e3a3c9af41e38277b74cf3",
              "status": "affected",
              "version": "20f6a05ef63594feb0c6dfbd629da0448b43124d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bridge/br_mrp_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: mrp: reject zero test interval to avoid OOM panic\n\nbr_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied\ninterval value from netlink without validation. When interval is 0,\nusecs_to_jiffies(0) yields 0, causing the delayed work\n(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule\nitself with zero delay. This creates a tight loop on system_percpu_wq\nthat allocates and transmits MRP test frames at maximum rate, exhausting\nall system memory and causing a kernel panic via OOM deadlock.\n\nThe same zero-interval issue applies to br_mrp_start_in_test_parse()\nfor interconnect test frames.\n\nUse NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both\nIFLA_BRIDGE_MRP_START_TEST_INTERVAL and\nIFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the\nnetlink attribute parsing layer before the value ever reaches the\nworkqueue scheduling code. This is consistent with how other bridge\nsubsystems (br_fdb, br_mst) enforce range constraints on netlink\nattributes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:08:21.817Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c9bc352f716d1bebfe43354bce539ec2d0223b30"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa6e24963342de4370e3a3c9af41e38277b74cf3"
        }
      ],
      "title": "bridge: mrp: reject zero test interval to avoid OOM panic",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31420",
    "datePublished": "2026-04-13T13:40:24.594Z",
    "dateReserved": "2026-03-09T15:48:24.088Z",
    "dateUpdated": "2026-05-11T22:08:21.817Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31421 (GCVE-0-2026-31421)

Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-05-11 22:08

Title

net/sched: cls_fw: fix NULL pointer dereference on shared blocks

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_fw: fix NULL pointer dereference on shared blocks The old-method path in fw_classify() calls tcf_block_q() and dereferences q->handle. Shared blocks leave block->q NULL, causing a NULL deref when an empty cls_fw filter is attached to a shared block and a packet with a nonzero major skb mark is classified. Reject the configuration in fw_change() when the old method (no TCA_OPTIONS) is used on a shared block, since fw_classify()'s old-method path needs block->q which is NULL for shared blocks. The fixed null-ptr-deref calling stack: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:fw_classify (net/sched/cls_fw.c:81) Call Trace: tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860) tc_run (net/core/dev.c:4401) __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)

Severity ?

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/d6d5bd62a09650856…
https://git.kernel.org/stable/c/febf64ca79a2d6540…
https://git.kernel.org/stable/c/3d41f9a314afa94b1…
https://git.kernel.org/stable/c/18328eff2f97d1a6a…
https://git.kernel.org/stable/c/5cf41031922c154aa…
https://git.kernel.org/stable/c/3cb055df9e8625ce6…
https://git.kernel.org/stable/c/96426c348def662b0…
https://git.kernel.org/stable/c/faeea8bbf6e958bf3…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < d6d5bd62a09650856e1e2010eb09853eba0d64e1 (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < febf64ca79a2d6540ab6e5e197fa0f4f7e84473e (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 3d41f9a314afa94b1c7c7c75405920123220e8cd (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28 (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 5cf41031922c154aa5ccda8bcdb0f5e6226582ec (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 3cb055df9e8625ce699a259d8178d67b37f2b160 (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 96426c348def662b06bfdc65be3002905604927a (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < faeea8bbf6e958bf3c00cb08263109661975987c (git)
Linux	Linux	Affected: 4.15 Unaffected: 0 , < 4.15 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/cls_fw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d6d5bd62a09650856e1e2010eb09853eba0d64e1",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            },
            {
              "lessThan": "febf64ca79a2d6540ab6e5e197fa0f4f7e84473e",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            },
            {
              "lessThan": "3d41f9a314afa94b1c7c7c75405920123220e8cd",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            },
            {
              "lessThan": "18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            },
            {
              "lessThan": "5cf41031922c154aa5ccda8bcdb0f5e6226582ec",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            },
            {
              "lessThan": "3cb055df9e8625ce699a259d8178d67b37f2b160",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            },
            {
              "lessThan": "96426c348def662b06bfdc65be3002905604927a",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            },
            {
              "lessThan": "faeea8bbf6e958bf3c00cb08263109661975987c",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/cls_fw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_fw: fix NULL pointer dereference on shared blocks\n\nThe old-method path in fw_classify() calls tcf_block_q() and\ndereferences q-\u003ehandle.  Shared blocks leave block-\u003eq NULL, causing a\nNULL deref when an empty cls_fw filter is attached to a shared block\nand a packet with a nonzero major skb mark is classified.\n\nReject the configuration in fw_change() when the old method (no\nTCA_OPTIONS) is used on a shared block, since fw_classify()\u0027s\nold-method path needs block-\u003eq which is NULL for shared blocks.\n\nThe fixed null-ptr-deref calling stack:\n KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\n RIP: 0010:fw_classify (net/sched/cls_fw.c:81)\n Call Trace:\n  tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860)\n  tc_run (net/core/dev.c:4401)\n  __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:08:22.956Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d6d5bd62a09650856e1e2010eb09853eba0d64e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/febf64ca79a2d6540ab6e5e197fa0f4f7e84473e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d41f9a314afa94b1c7c7c75405920123220e8cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28"
        },
        {
          "url": "https://git.kernel.org/stable/c/5cf41031922c154aa5ccda8bcdb0f5e6226582ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/3cb055df9e8625ce699a259d8178d67b37f2b160"
        },
        {
          "url": "https://git.kernel.org/stable/c/96426c348def662b06bfdc65be3002905604927a"
        },
        {
          "url": "https://git.kernel.org/stable/c/faeea8bbf6e958bf3c00cb08263109661975987c"
        }
      ],
      "title": "net/sched: cls_fw: fix NULL pointer dereference on shared blocks",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31421",
    "datePublished": "2026-04-13T13:40:25.278Z",
    "dateReserved": "2026-03-09T15:48:24.088Z",
    "dateUpdated": "2026-05-11T22:08:22.956Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31422 (GCVE-0-2026-31422)

Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-05-11 22:08

Title

net/sched: cls_flow: fix NULL pointer dereference on shared blocks

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_flow: fix NULL pointer dereference on shared blocks flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block. Check tcf_block_shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below: ======================================================================= KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:flow_change (net/sched/cls_flow.c:508) Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...] =======================================================================

Severity ?

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/57f94ac7e953eece5…
https://git.kernel.org/stable/c/942813276edeb1741…
https://git.kernel.org/stable/c/cc707a4fd4c3b6ab2…
https://git.kernel.org/stable/c/4a09f72007201c9f6…
https://git.kernel.org/stable/c/9bf5fc36a43f7b8b5…
https://git.kernel.org/stable/c/a208c3e1232997e93…
https://git.kernel.org/stable/c/415ea0c973c754b9f…
https://git.kernel.org/stable/c/1a280dd4bd1d616a0…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 57f94ac7e953eece5ed4819605a18f3cdfc63dcc (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 942813276edeb1741fa5b0a73471beb4e495fa08 (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < cc707a4fd4c3b6ab2722e06bc359aa010e13d408 (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 4a09f72007201c9f667dc47f64517ec23eea65e5 (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < a208c3e1232997e9317887294c20008dfcb75449 (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 415ea0c973c754b9f375225807810eb9045f4293 (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 1a280dd4bd1d616a01d6ffe0de284c907b555504 (git)
Linux	Linux	Affected: 4.15 Unaffected: 0 , < 4.15 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/cls_flow.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "57f94ac7e953eece5ed4819605a18f3cdfc63dcc",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            },
            {
              "lessThan": "942813276edeb1741fa5b0a73471beb4e495fa08",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            },
            {
              "lessThan": "cc707a4fd4c3b6ab2722e06bc359aa010e13d408",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            },
            {
              "lessThan": "4a09f72007201c9f667dc47f64517ec23eea65e5",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            },
            {
              "lessThan": "9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            },
            {
              "lessThan": "a208c3e1232997e9317887294c20008dfcb75449",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            },
            {
              "lessThan": "415ea0c973c754b9f375225807810eb9045f4293",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            },
            {
              "lessThan": "1a280dd4bd1d616a01d6ffe0de284c907b555504",
              "status": "affected",
              "version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/cls_flow.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_flow: fix NULL pointer dereference on shared blocks\n\nflow_change() calls tcf_block_q() and dereferences q-\u003ehandle to derive\na default baseclass.  Shared blocks leave block-\u003eq NULL, causing a NULL\nderef when a flow filter without a fully qualified baseclass is created\non a shared block.\n\nCheck tcf_block_shared() before accessing block-\u003eq and return -EINVAL\nfor shared blocks.  This avoids the null-deref shown below:\n\n=======================================================================\nKASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\nRIP: 0010:flow_change (net/sched/cls_flow.c:508)\nCall Trace:\n tc_new_tfilter (net/sched/cls_api.c:2432)\n rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)\n [...]\n======================================================================="
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:08:24.111Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/57f94ac7e953eece5ed4819605a18f3cdfc63dcc"
        },
        {
          "url": "https://git.kernel.org/stable/c/942813276edeb1741fa5b0a73471beb4e495fa08"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc707a4fd4c3b6ab2722e06bc359aa010e13d408"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a09f72007201c9f667dc47f64517ec23eea65e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a208c3e1232997e9317887294c20008dfcb75449"
        },
        {
          "url": "https://git.kernel.org/stable/c/415ea0c973c754b9f375225807810eb9045f4293"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a280dd4bd1d616a01d6ffe0de284c907b555504"
        }
      ],
      "title": "net/sched: cls_flow: fix NULL pointer dereference on shared blocks",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31422",
    "datePublished": "2026-04-13T13:40:25.911Z",
    "dateReserved": "2026-03-09T15:48:24.088Z",
    "dateUpdated": "2026-05-11T22:08:24.111Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31423 (GCVE-0-2026-31423)

Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-05-11 22:08

Title

net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() m2sm() converts a u32 slope to a u64 scaled value. For large inputs (e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores the difference of two such u64 values in a u32 variable `dsm` and uses it as a divisor. When the difference is exactly 2^32 the truncation yields zero, causing a divide-by-zero oops in the concave-curve intersection path: Oops: divide error: 0000 RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601) Call Trace: init_ed (net/sched/sch_hfsc.c:629) hfsc_enqueue (net/sched/sch_hfsc.c:1569) [...] Widen `dsm` to u64 and replace do_div() with div64_u64() so the full difference is preserved.

Severity ?

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/ad8e8fec40290a8c8…
https://git.kernel.org/stable/c/ab1ff5890c7354afc…
https://git.kernel.org/stable/c/25b6821884713a31e…
https://git.kernel.org/stable/c/c56f78614e7781aac…
https://git.kernel.org/stable/c/b9e6431cbea8bb1fa…
https://git.kernel.org/stable/c/17c1b9807b8a67d67…
https://git.kernel.org/stable/c/d0aefec1b1a1ba2c1…
https://git.kernel.org/stable/c/4576100b8cd031182…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ad8e8fec40290a8c8cf145c0deaadf76f80c5163 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ab1ff5890c7354afc7be56502fcfbd61f3b7ae4f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 25b6821884713a31e2b49fb67b0ebd765b33e0a9 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c56f78614e7781aaceca9bd3cb2128bf7d45c3bd (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b9e6431cbea8bb1fae8069ed099b4ee100499835 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 17c1b9807b8a67d676b6dcf749ee932ebaa7f568 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d0aefec1b1a1ba2c1d251028dc2c4e5b4ce1fea5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4576100b8cd03118267513cafacde164b498b322 (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_hfsc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ad8e8fec40290a8c8cf145c0deaadf76f80c5163",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ab1ff5890c7354afc7be56502fcfbd61f3b7ae4f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "25b6821884713a31e2b49fb67b0ebd765b33e0a9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c56f78614e7781aaceca9bd3cb2128bf7d45c3bd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b9e6431cbea8bb1fae8069ed099b4ee100499835",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "17c1b9807b8a67d676b6dcf749ee932ebaa7f568",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d0aefec1b1a1ba2c1d251028dc2c4e5b4ce1fea5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4576100b8cd03118267513cafacde164b498b322",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_hfsc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_hfsc: fix divide-by-zero in rtsc_min()\n\nm2sm() converts a u32 slope to a u64 scaled value.  For large inputs\n(e.g. m1=4000000000), the result can reach 2^32.  rtsc_min() stores\nthe difference of two such u64 values in a u32 variable `dsm` and\nuses it as a divisor.  When the difference is exactly 2^32 the\ntruncation yields zero, causing a divide-by-zero oops in the\nconcave-curve intersection path:\n\n  Oops: divide error: 0000\n  RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601)\n  Call Trace:\n   init_ed (net/sched/sch_hfsc.c:629)\n   hfsc_enqueue (net/sched/sch_hfsc.c:1569)\n   [...]\n\nWiden `dsm` to u64 and replace do_div() with div64_u64() so the full\ndifference is preserved."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:08:25.251Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ad8e8fec40290a8c8cf145c0deaadf76f80c5163"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab1ff5890c7354afc7be56502fcfbd61f3b7ae4f"
        },
        {
          "url": "https://git.kernel.org/stable/c/25b6821884713a31e2b49fb67b0ebd765b33e0a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/c56f78614e7781aaceca9bd3cb2128bf7d45c3bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/b9e6431cbea8bb1fae8069ed099b4ee100499835"
        },
        {
          "url": "https://git.kernel.org/stable/c/17c1b9807b8a67d676b6dcf749ee932ebaa7f568"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0aefec1b1a1ba2c1d251028dc2c4e5b4ce1fea5"
        },
        {
          "url": "https://git.kernel.org/stable/c/4576100b8cd03118267513cafacde164b498b322"
        }
      ],
      "title": "net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31423",
    "datePublished": "2026-04-13T13:40:26.567Z",
    "dateReserved": "2026-03-09T15:48:24.088Z",
    "dateUpdated": "2026-05-11T22:08:25.251Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1088

CVE-2026-31414 (GCVE-0-2026-31414)

CVE-2026-31415 (GCVE-0-2026-31415)

CVE-2026-31416 (GCVE-0-2026-31416)

CVE-2026-31417 (GCVE-0-2026-31417)

CVE-2026-31418 (GCVE-0-2026-31418)

CVE-2026-31419 (GCVE-0-2026-31419)

CVE-2026-31420 (GCVE-0-2026-31420)

CVE-2026-31421 (GCVE-0-2026-31421)

CVE-2026-31422 (GCVE-0-2026-31422)

CVE-2026-31423 (GCVE-0-2026-31423)

Tags

Sightings

Nomenclature