CVE-2026-31407

HIGH EPSS 6.6%
Published Apr 6, 20262mo ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published Apr 6, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
6.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel*≥2.6.27  –  <6.6.136
linuxlinux_kernel*≥6.7  –  <6.12.83
linuxlinux_kernel*≥6.13  –  <6.18.24
linuxlinux_kernel*≥6.19  –  <6.19.10
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/0fbae1e74493d5a160a70c51aeba035d8266ea7d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/67c53c1978cef3c504237275e39c857e2f6af56e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/78bba9f73942aa7dca47d817d8cec0fb9b443b70
  • git.kernel.org https://git.kernel.org/stable/c/9174d28f3f15d8c4962f5980c0be167633880443
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/be88a337bf07afb1ee173f1099294d1b7ab3fefe
  • git.kernel.org https://git.kernel.org/stable/c/c5e918390002edf0cff80a0e7ce1f86f16a9507c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e7b5766693477c52424cc6c79dd30a7a9c7db52c
  • git.kernel.org https://git.kernel.org/stable/c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0fbae1e74493d5a160a70c51aeba035d8266ea7d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/67c53c1978cef3c504237275e39c857e2f6af56e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9174d28f3f15d8c4962f5980c0be167633880443
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c5e918390002edf0cff80a0e7ce1f86f16a9507c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05
    Patch