Skip to main content

Linux CVE-2026-23331

| EUVDEUVD-2026-15289 MEDIUM
2026-03-25 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
3.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 23, 2026 - 21:27 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15289
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

udp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected.

Let's say we bind() an UDP socket to the wildcard address with a non-zero port, connect() it to an address, and disconnect it from the address.

bind() sets SOCK_BINDPORT_LOCK on sk->sk_userlocks (but not SOCK_BINDADDR_LOCK), and connect() calls udp_lib_hash4() to put the socket into the 4-tuple hash table.

Then, __udp_disconnect() calls sk->sk_prot->rehash(sk).

It computes a new hash based on the wildcard address and moves the socket to a new slot in the 4-tuple hash table, leaving a garbage in the chain that no packet hits.

Let's remove such a socket from 4-tuple hash table when disconnected.

Note that udp_sk(sk)->udp_portaddr_hash needs to be udpated after udp_hash4_dec(hslot2) in udp_unhash4().

AnalysisAI

A resource management vulnerability in the Linux kernel UDP implementation causes improper handling of socket state during disconnect operations. When a UDP socket is bound to a wildcard address, connected to a remote peer, and then disconnected, the kernel fails to properly remove the socket from the 4-tuple hash table, leaving stale entries that can lead to information disclosure or denial of service conditions. All Linux kernel versions using the affected UDP code path are impacted, with patches available through the Linux kernel stable tree.

Technical ContextAI

This vulnerability exists in the Linux kernel's UDP (User Datagram Protocol) implementation, specifically in the socket hashing and connection management routines. The issue occurs in the interaction between bind(), connect(), and disconnect() system calls on UDP sockets. When SOCK_BINDPORT_LOCK is set by bind() but SOCK_BINDADDR_LOCK is not, and the socket is connected via udp_lib_hash4() into the 4-tuple hash table, the subsequent disconnect operation via __udp_disconnect() calls sk->sk_prot->rehash() which recomputes the hash based on the wildcard address. This leaves garbage entries in the 4-tuple hash chain that are unreachable but never cleaned up. The root cause is improper state management in the socket unhashing mechanism (CWE category related to resource management and information disclosure), affecting the Linux kernel across multiple versions via the cpe:2.3:a:linux:linux CPE designation.

RemediationAI

Update the Linux kernel to a version incorporating commits b955350778b8715e1b7885179979b3a68221c0fb, 3b8f104880c104151f8c30f2f89df81fb59a286c, or 6996a2d2d0a64808c19c98002aeb5d9d1b2df6a4 from the Linux kernel stable tree (available at https://git.kernel.org/stable/). For distribution users, apply the latest kernel security updates from your vendor (RHEL via yum/dnf, Ubuntu via apt, Debian via apt, etc.). Until patching is possible, mitigate risk by restricting socket-level operations through AppArmor or SELinux policies that limit UDP socket creation and manipulation, disabling UDP services that are not required, and isolating untrusted workloads to separate kernel namespaces or containers with restricted network capabilities.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23331 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy