Skip to main content

Linux Kernel CVE-2026-31417

| EUVDEUVD-2026-21938 HIGH
Integer Underflow (CWE-191)
2026-04-13 Linux GHSA-j4r7-4685-8m4m
7.5
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:24 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.5 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
1734bd85c5e0a7a801295b729efb56b009cb8fc3,8c92969c197b91c134be27dc3afb64ab468853a9,6e568835ea54a3e1d08e310e34f95d434e739477
EUVD ID Assigned
Apr 13, 2026 - 13:45 euvd
EUVD-2026-21938
Analysis Generated
Apr 13, 2026 - 13:45 vuln.today
CVE Published
Apr 13, 2026 - 13:21 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/x25: Fix overflow when accumulating packets

Add a check to ensure that x25_sock.fraglen does not overflow.

The fraglen also needs to be resetted when purging fragment_queue in x25_clear_queues().

AnalysisAI

Integer overflow in Linux kernel X.25 protocol stack allows remote unauthenticated attackers to trigger denial of service via fragmented packet accumulation. The fraglen field in x25_sock structure can overflow when processing fragmented X.25 packets, causing kernel crashes or resource exhaustion. Vendor-released patches confirm the vulnerability exists since initial Git history (2005) through kernel 6.19.x. EPSS score of 0.02% suggests low observed exploitation activity, though the network-accessible attack vector (AV:N) and lack of authentication requirements (PR:N) make this exploitable against any exposed X.25 network interface. No active exploitation confirmed (not in CISA KEV), but public patches reveal implementation details that could facilitate exploit development.

Technical ContextAI

The X.25 protocol is a legacy packet-switching network protocol standardized by ITU-T, primarily used in older WAN and industrial control systems. The Linux kernel implementation maintains a fragment reassembly queue in the x25_sock structure, accumulating fragmented packets in the fraglen field. The vulnerability stems from missing bounds checking when incrementing fraglen during fragment accumulation. Without overflow validation, an attacker can send a sequence of crafted fragmented X.25 packets that cause fraglen to wrap around, leading to incorrect memory operations. The fix adds explicit overflow checks before incrementing fraglen and ensures proper reset of fraglen when purging the fragment_queue in x25_clear_queues(). CPE data indicates the flaw exists across all Linux kernel versions from the initial Git import (commit 1da177e4c3f4, corresponding to kernel 2.6.12 from 2005) up to 6.19.x, affecting both legacy long-term support and current mainline kernels.

RemediationAI

Upgrade to patched Linux kernel versions: 6.1.168 or later for 6.1.x series, 6.6.134+ for 6.6.x, 6.12.81+ for 6.12.x, 6.18.22+ for 6.18.x, 6.19.12+ for 6.19.x, or 7.0+ for mainline. Patches available at https://git.kernel.org/stable/ under commits 798d613afb64, 96fc16370b0b, and related stable branch commits. If immediate patching is not feasible, disable X.25 protocol support as a compensating control: unload the x25 kernel module with 'rmmod x25' and blacklist it in /etc/modprobe.d/ to prevent automatic loading. This eliminates the attack surface but breaks any applications or network equipment relying on X.25 connectivity. For systems requiring X.25 functionality, restrict network access to X.25 interfaces using iptables/nftables rules, permitting only trusted source IPs - this reduces attack surface but does not eliminate risk from compromised trusted hosts. Verify X.25 is not loaded with 'lsmod | grep x25' and check for listening X.25 sockets with 'netstat -ax'. Organizations using X.25 for industrial control or legacy WAN should prioritize patching over workarounds due to difficulty isolating these systems.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31417 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy