Skip to main content

Linux Kernel CVE-2026-31495

| EUVDEUVD-2026-24867 MEDIUM
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 14:52 vuln.today
CVSS changed
Apr 28, 2026 - 14:52 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 14:44 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24867
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: use netlink policy range checks

Replace manual range and mask validations with netlink policy annotations in ctnetlink code paths, so that the netlink core rejects invalid values early and can generate extack errors.

  • CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at

policy level, removing the manual >= TCP_CONNTRACK_MAX check.

  • CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE

(14). The normal TCP option parsing path already clamps to this value, but the ctnetlink path accepted 0-255, causing undefined behavior when used as a u32 shift count.

  • CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with

CTA_FILTER_F_ALL, removing the manual mask checks.

  • CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding

a new mask define grouping all valid expect flags.

Extracted from a broader nf-next patch by Florian Westphal, scoped to ctnetlink for the fixes tree.

AnalysisAI

Denial of service in Linux kernel netfilter ctnetlink subsystem allows local authenticated attackers to trigger undefined behavior via improper validation of TCP window scale and connection tracking state parameters. The vulnerability stems from missing netlink policy range checks that permit out-of-bounds values (TCP window scale 0-255 instead of clamped 0-14, TCP state values exceeding TCP_CONNTRACK_MAX) to be passed to kernel code expecting constrained ranges, leading to undefined behavior in shift operations and state machine logic. CVSS 5.5 (local, low complexity, requires low privileges) with EPSS 0.03% indicates low real-world exploitation likelihood despite availability of vendor patches.

Technical ContextAI

The Linux kernel netfilter connection tracking (ctnetlink) module processes netlink messages that configure connection state attributes via user-space utilities like conntrack. The vulnerability affects netlink attribute parsing in the ctnetlink code path, specifically the CTA_PROTOINFO_TCP_STATE, CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY, CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS, and CTA_EXPECT_FLAGS parameters. The root cause is the absence of netlink policy annotations (NLA_POLICY_RANGE and NLA_POLICY_MASK) that would enforce valid value ranges at the netlink layer before kernel code consumes them. Without these checks, the CTA_PROTOINFO_TCP_WSCALE parameters accept arbitrary 8-bit values (0-255) which are then used as shift counts in u32 operations, and CTA_PROTOINFO_TCP_STATE accepts values beyond the valid TCP connection tracking state enumeration (TCP_CONNTRACK_MAX), causing undefined behavior. The fix replaces manual validation code with declarative netlink policy constraints, enabling the kernel's netlink core to reject invalid messages early and generate extended acknowledgment (extack) errors for diagnostic purposes.

RemediationAI

Update to patched kernel versions: Linux 5.10.253 or later, 5.15.203 or later, 6.1.168 or later, 6.6.131 or later, 6.12.80 or later, 6.18.21 or later, 6.19.11 or later, or 7.0 final release. Patches are available via kernel.org stable branches (git commits 2ef71307c86a9f866d6e28f1a0c06e2e9d794474, 435b576cd2faa75154777868f8cbb73bf71644d3, and others listed in references). For systems unable to immediately upgrade, restrict unprivileged user access to netfilter configuration via SELinux or AppArmor policies denying CAP_NET_ADMIN to non-root users, though this does not fully mitigate if root-level processes are compromised. The fix involves no configuration changes and has no functional side effects - it only adds validation that rejects previously-accepted-but-invalid parameter values.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31495 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy