CVE-2026-31407
Published: Apr 6, 2026
Modified: Jun 1, 2026
CVSS v3.1
7.1
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected a258860e01b80e8f554a4ab1a6c95e6042eb8b73 - < e7b5766693477c52424cc6c79dd30a7a9c7db52caffected a258860e01b80e8f554a4ab1a6c95e6042eb8b73 - < 78bba9f73942aa7dca47d817d8cec0fb9b443b70affected a258860e01b80e8f554a4ab1a6c95e6042eb8b73 - < be88a337bf07afb1ee173f1099294d1b7ab3fefeaffected a258860e01b80e8f554a4ab1a6c95e6042eb8b73 - < c5e918390002edf0cff80a0e7ce1f86f16a9507caffected a258860e01b80e8f554a4ab1a6c95e6042eb8b73 - < 9174d28f3f15d8c4962f5980c0be167633880443+3 more versions |
Linux | Linux | affected 2.6.27unaffected 0 - < 2.6.27unaffected 5.10.258 - <= 5.10.*unaffected 5.15.209 - <= 5.15.*unaffected 6.1.175 - <= 6.1.*+5 more versions |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now