CVE-2026-31675

HIGH EPSS 2.7%
Published Apr 25, 20262mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 25, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using this unconstrained value as an offset into skb->data results in an out-of-bounds memory access. Fix this by verifying skb_headlen(skb) is non-zero before attempting to corrupt the linear data area. Fully non-linear packets will silently bypass the corruption logic.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 10

VendorProductVersionRange
linuxlinux_kernel*≥2.6.16  –  <6.6.134
linuxlinux_kernel*≥6.7  –  <6.12.81
linuxlinux_kernel*≥6.13  –  <6.18.22
linuxlinux_kernel*≥6.19  –  <6.19.12
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 5

  • git.kernel.org https://git.kernel.org/stable/c/13a66ca1e235d4bcd53d12d4c68490cad7f8e46f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3a2999704ac36cfb4041fed3652d26a3373e8d12
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4fd258e281fa8bc15e9ce2c7691941537e9258ad
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a14b56863348686dd0387eea8ce66b85cf455908
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d64cb81dcbd54927515a7f65e5e24affdc73c14b
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/13a66ca1e235d4bcd53d12d4c68490cad7f8e46f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3a2999704ac36cfb4041fed3652d26a3373e8d12
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4fd258e281fa8bc15e9ce2c7691941537e9258ad
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a14b56863348686dd0387eea8ce66b85cf455908
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d64cb81dcbd54927515a7f65e5e24affdc73c14b
    Patch