Skip to main content

Linux Kernel CVE-2026-31411

| EUVDEUVD-2026-20469 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-08 Linux GHSA-9q92-j4jr-j3jp
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
7.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 20, 2026 - 16:08 vuln.today
CVSS changed
May 20, 2026 - 16:07 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
21c303fec138c002f90ed33bce60e807d53072bb,3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2,440c9a5fc477a8ee259d8bf669531250b8398651
EUVD ID Assigned
Apr 08, 2026 - 14:16 euvd
EUVD-2026-20469
CVE Published
Apr 08, 2026 - 13:06 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: atm: fix crash due to unvalidated vcc pointer in sigd_send()

Reproducer available at [1].

The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged:

int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &iov, ... }; *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef

In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values.

Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found.

Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used.

Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety.

[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3

AnalysisAI

Kernel crash via forged VCC pointer in the Linux kernel ATM networking subsystem (net/atm/sigd.c) allows a local low-privileged attacker who has assumed the ATM signaling daemon role to dereference arbitrary kernel memory, resulting in denial of service. The flaw affects Linux 2.6.12 through multiple current stable branches, with patches available for 5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x, and 7.0-rc1. A public reproducer exists at a GitHub gist, though the EPSS score of 0.02% (7th percentile) and absence from CISA KEV reflect the niche ATM subsystem's limited real-world attack surface.

Technical ContextAI

The affected code resides in the Linux kernel ATM (Asynchronous Transfer Mode) subsystem, specifically in net/atm/sigd.c. During normal ATM signaling operations, the kernel passes a vcc (Virtual Circuit Connection) pointer to the signaling daemon process via sigd_enq() when processing connect(), bind(), or listen() syscalls. The daemon is then expected to echo this pointer back in its response messages. The vulnerable code path (sendmsg → vcc_sendmsg → sigd_send) reads msg->vcc directly from the userspace-controlled message buffer without validating it against any kernel-side registry. CWE-476 (NULL Pointer Dereference) is the assigned root cause class, though the actual primitive is broader - it is an untrusted pointer dereference (CWE-822) where any arbitrary value, including 0xdeadbeef as demonstrated in the reproducer, can be passed and dereferenced as a struct atm_vcc pointer. The fix introduces find_get_vcc(), which validates the pointer by iterating over vcc_hash and acquires a reference via sock_hold() before use, mirroring the validation pattern already used in sigd_close(). CPE data (cpe:2.3:a:linux:linux:*) covers all Linux kernel versions from commit 1da177e4c3f4 (the initial git import, corresponding to 2.6.12).

RemediationAI

The primary fix is to upgrade to a patched Linux kernel stable release: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0-rc1 or later, as appropriate for the deployed branch. Patches are available as upstream commits on kernel.org (e.g., https://git.kernel.org/stable/c/3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2 for mainline). Where immediate patching is not feasible, the most effective compensating control is to prevent loading of the ATM kernel module by blacklisting it: add 'blacklist atm' and 'install atm /bin/false' to /etc/modprobe.d/. This eliminates the attack surface entirely but will break any ATM-dependent functionality. Alternatively, restricting access to the AF_ATMSVC socket family using seccomp or LSM (AppArmor/SELinux) policies - specifically blocking socket(AF_ATMSVC, ...) and the ATMSIGD_CTRL ioctl - can prevent unprivileged users from acquiring the signaling daemon role, which is the required precondition. Note that these workarounds require policy changes that may affect system-level ATM management services if present.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Affected
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed

Share

CVE-2026-31411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy