CVE-2026-31684
Published: Apr 25, 2026
Modified: Jun 1, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: net: sched: act_csum: validate nested VLAN headers tcf_csum_act() walks nested VLAN headers directly from skb->data when an skb still carries in-payload VLAN tags. The current code reads vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without first ensuring that the full VLAN header is present in the linear area. If only part of an inner VLAN header is linearized, accessing h_vlan_encapsulated_proto reads past the linear area, and the following skb_pull(VLAN_HLEN) may violate skb invariants. Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and pulling each nested VLAN header. If the header still is not fully available, drop the packet through the existing error path.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 2ecba2d1e45b24620a7c3df9531895cf68d5dec6 - < 0410c619e86551677fb79887a38eccad3f5a0725affected 2ecba2d1e45b24620a7c3df9531895cf68d5dec6 - < 886469b6455611a511aa6013e957e15e50577513affected 2ecba2d1e45b24620a7c3df9531895cf68d5dec6 - < 46c07ad50fa2f4ba7663ee1b72b75ad7ad45cf09affected 2ecba2d1e45b24620a7c3df9531895cf68d5dec6 - < eb3765b90eb8f2a3d6310a80c14a9e57ec4267a2affected 2ecba2d1e45b24620a7c3df9531895cf68d5dec6 - < a69738efea0996d05a3c7d2178551b891744df1b+5 more versions |
Linux | Linux | affected 5.1unaffected 0 - < 5.1unaffected 5.10.258 - <= 5.10.*unaffected 5.15.209 - <= 5.15.*unaffected 6.1.175 - <= 6.1.*+5 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now