Skip to main content

Linux Kernel CVE-2026-31418

| EUVDEUVD-2026-21941 MEDIUM
2026-04-13 Linux GHSA-vwvf-62c8-j66c
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 20, 2026 - 19:38 vuln.today
CVSS changed
May 20, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch released
Apr 18, 2026 - 09:16 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
9862ef9ab0a116c6dca98842aab7de13a252ae02,68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4,6cea34d7ec6829b62f521a37a287f670144a2233
EUVD ID Assigned
Apr 13, 2026 - 13:45 euvd
EUVD-2026-21941
CVE Published
Apr 13, 2026 - 13:21 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ipset: drop logically empty buckets in mtype_del

mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots.

Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further.

AnalysisAI

Local denial-of-service via kernel memory leak in the Linux kernel's netfilter ipset subsystem affects multiple stable branches from Linux 5.6 through the fixed releases 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0. The mtype_del() function contains a logic flaw that prevents proper bucket release when all live entries are deleted but the positional counter (n->pos) still references past-deleted slots, causing accumulated unreleased kernel memory across repeated ipset add/delete operations. No public exploit code exists and this CVE is not listed in the CISA KEV catalog; EPSS at 0.02% (7th percentile) reflects very low real-world exploitation probability.

Technical ContextAI

The vulnerability is in the Linux kernel's netfilter ipset subsystem, specifically the mtype_del() generic bucket deletion function located in the net/netfilter/ipset/ subsystem. The ipset framework manages sets of IP addresses, networks, ports, and protocol tuples used by iptables and nftables rules for high-performance packet matching. The logic error is that mtype_del() counts empty slots below n->pos into variable k, but only drops (frees) a bucket when both n->pos and k simultaneously reach zero. When all live entries in a bucket have been deleted while n->pos still points past those deleted slots, k is nonzero but n->pos is not, so the bucket is never freed - it remains allocated despite being logically empty. This is a resource-retention bug most analogous to CWE-401 (Missing Release of Memory after Effective Lifetime) or CWE-670 (Always-Incorrect Control Flow Implementation), though no formal CWE has been assigned. The fix corrects the condition to treat a bucket as empty whenever all positions below n->pos are unused, releasing it directly. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

The primary remediation is to upgrade to a patched Linux kernel version. Vendor-released patch versions confirmed by EUVD are: 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0. Upstream stable-branch commits are available at: https://git.kernel.org/stable/c/6cea34d7ec6829b62f521a37a287f670144a2233 (6.1 branch), https://git.kernel.org/stable/c/ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb (6.6 branch), https://git.kernel.org/stable/c/9862ef9ab0a116c6dca98842aab7de13a252ae02 (6.12 branch), https://git.kernel.org/stable/c/68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4, https://git.kernel.org/stable/c/b7eef00f08b92b0b9efe8ae0df6d0005e6199323, and https://git.kernel.org/stable/c/ceacaa76f221a6577aba945bb8873c2e640aeba4. Where immediate patching is not feasible, systems that do not actively use the netfilter ipset feature (no iptables -m set or nft set rules referencing ipsets) are not exposed to this code path; preventing loading of the ip_set kernel module (via blacklisting in /etc/modprobe.d/) is an effective compensating control with the trade-off of disabling all ipset-based packet matching rules. Restricting CAP_NET_ADMIN to trusted processes and users limits who can trigger the vulnerable path but has broad implications for containerized workloads and network service functionality.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31418 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy