Skip to main content

Linux Kernel CVE-2026-31496

| EUVDEUVD-2026-24868 MEDIUM
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-7qwq-2hrf-8f6g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 14:52 vuln.today
CVSS changed
Apr 28, 2026 - 14:52 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 14:43 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24868
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_expect: skip expectations in other netns via proc

Skip expectations that do not reside in this netns.

Similar to e77e6ff502ea ("netfilter: conntrack: do not dump other netns's conntrack entries via proc").

AnalysisAI

Information disclosure in Linux kernel netfilter nf_conntrack_expect proc interface allows local authenticated users to read connection tracking expectations from other network namespaces, bypassing namespace isolation. The vulnerability affects kernel versions through 6.x and 7.0-rc releases with CVSS 5.5 (local, low complexity, high availability impact) and EPSS 0.02% exploitation probability; vendor-released patches are available for multiple stable branches (6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0).

Technical ContextAI

The Linux kernel netfilter subsystem manages network connection tracking and expectations via the nf_conntrack_expect module. The vulnerability resides in the proc filesystem interface (/proc/net/nf_conntrack_expect) which exposes connection tracking expectations without proper network namespace (netns) filtering. Network namespaces provide logical isolation of network resources in containerized and multi-tenant environments; this flaw allows a process with proc read access in one netns to enumerate expectations belonging to other netns contexts. The root cause is insufficient namespace boundary enforcement when iterating expectations during proc file reads, similar to prior netfilter conntrack disclosure flaws (referenced fix e77e6ff502ea). CWE data is not specified but aligns with CWE-200 (Information Exposure) or CWE-639 (Authorization Bypass Through User-Controlled Key).

RemediationAI

Vendor-released patch: Upgrade Linux kernel to patched stable versions: 6.1.168 or later (6.1.x series), 6.6.131 or later (6.6.x series), 6.12.80 or later (6.12.x series), 6.18.21 or later (6.18.x series), 6.19.11 or later (6.19.x series), or 7.0 final release or later. If immediate kernel upgrade is not feasible in multi-tenant container deployments, restrict proc filesystem read access via AppArmor or SELinux policies to prevent untrusted processes from reading /proc/net/nf_conntrack_expect; use seccomp rules to block open() syscalls on proc netfilter files for unprivileged workloads. Containers should run with read-only /proc or masked proc mounts (-security-opt apparmor=docker-default or PodSecurityPolicy restrictedProcMount). Trade-off: restrictive proc policies may break container network diagnostics; test thoroughly in staging. Network namespace isolation itself remains intact; this patch simply enforces the isolation at the proc interface level. References: upstream kernel git commits at https://git.kernel.org/stable/ for each fix; verify your distribution's backport via changelog (e.g., Ubuntu security advisories, RHEL errata).

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31496 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy