Skip to main content

Linux Kernel CVE-2026-31414

| EUVDEUVD-2026-21932 CRITICAL
2026-04-13 Linux GHSA-79r8-qx2r-f755
Critical
Disputed · 9.8 Vendor: Linux
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
5.8 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:23 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
9.8 (CRITICAL)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
3dfd3f7712b5a800f2ba632179e9b738076a51f0,847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781,4bd1b3d839172724b33d8d02c5a4ff6a1c775417
EUVD ID Assigned
Apr 13, 2026 - 13:45 euvd
EUVD-2026-21932
Analysis Generated
Apr 13, 2026 - 13:45 vuln.today
CVE Published
Apr 13, 2026 - 13:21 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_expect: use expect->helper

Use expect->helper in ctnetlink and /proc to dump the helper name. Using nfct_help() without holding a reference to the master conntrack is unsafe.

Use exp->master->helper in ctnetlink path if userspace does not provide an explicit helper when creating an expectation to retain the existing behaviour. The ctnetlink expectation path holds the reference on the master conntrack and nf_conntrack_expect lock and the nfnetlink glue path refers to the master ct that is attached to the skb.

AnalysisAI

Use-after-free or race condition in Linux kernel netfilter connection tracking can lead to remote code execution, privilege escalation, or memory corruption. The vulnerability affects the nf_conntrack_expect module where unsafe access to helper names occurs without holding a reference to the master conntrack structure. Despite a critical CVSS score of 9.8 (network-accessible, no authentication required), EPSS exploitation probability is very low (0.02%, 7th percentile), and no active exploitation or public POC has been identified. Vendor patches are available for kernel versions 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0.

Technical ContextAI

This vulnerability resides in the Linux kernel's netfilter subsystem, specifically in the nf_conntrack_expect module responsible for connection tracking expectations. The issue involves unsafe dereferencing of helper pointers through nfct_help() without proper reference counting on the master conntrack structure. When ctnetlink (netlink-based conntrack control interface) or /proc filesystem handlers attempt to dump helper names, they may access freed memory or encounter race conditions. The fix changes the code to use expect->helper directly and adds proper reference handling via exp->master->helper in the ctnetlink path while holding the nf_conntrack_expect lock. This affects core network packet filtering infrastructure used by firewalls, NAT, and connection state tracking across virtually all Linux distributions and kernel versions from the initial git commit (1da177e4c3f4) until the patches applied in 2026.

RemediationAI

Apply vendor-released kernel updates to fixed versions: 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, or 7.0 depending on your kernel branch. Distribution users should apply security updates through normal package management channels (apt, yum, dnf, zypper) when vendors release patched kernels. Upstream patches are available from git.kernel.org/stable at commits 847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781 (and five related commits listed in references). For systems that cannot immediately patch, consider disabling connection tracking helper modules if not required (modprobe -r nf_conntrack_* for unused protocol helpers), though this may break legitimate NAT or firewall functionality for protocols like FTP, SIP, or H.323 that require helper modules. Restrict access to /proc/net/nf_conntrack and netlink sockets (CAP_NET_ADMIN capability) to trusted administrative users only, reducing attack surface for ctnetlink exploitation paths. These mitigations reduce but do not eliminate risk; kernel patching remains the definitive solution.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31414 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy