Skip to main content

Linux Kernel CVE-2026-31531

| EUVDEUVD-2026-25218 MEDIUM
2026-04-23 Linux GHSA-8q42-qfhf-592h
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 17:52 vuln.today
CVSS changed
Apr 28, 2026 - 17:52 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 17:38 nvd
Patch available
Patch available
Apr 23, 2026 - 13:16 EUVD
EUVD ID Assigned
Apr 23, 2026 - 11:30 euvd
EUVD-2026-25218
Analysis Generated
Apr 23, 2026 - 11:30 vuln.today
CVE Published
Apr 23, 2026 - 11:12 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()

When querying a nexthop object via RTM_GETNEXTHOP, the kernel currently allocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient for single nexthops and small Equal-Cost Multi-Path groups, this fixed allocation fails for large nexthop groups like 512 nexthops.

This results in the following warning splat:

WARNING: net/ipv4/nexthop.c:3395 at rtm_get_nexthop+0x176/0x1c0, CPU#20: rep/4608 [...] RIP: 0010:rtm_get_nexthop (net/ipv4/nexthop.c:3395) [...] Call Trace: <TASK> rtnetlink_rcv_msg (net/core/rtnetlink.c:6989) netlink_rcv_skb (net/netlink/af_netlink.c:2550) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) ____sys_sendmsg (net/socket.c:721 net/socket.c:736 net/socket.c:2585) ___sys_sendmsg (net/socket.c:2641) __sys_sendmsg (net/socket.c:2671) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK>

Fix this by allocating the size dynamically using nh_nlmsg_size() and using nlmsg_new(), this is consistent with nexthop_notify() behavior. In addition, adjust nh_nlmsg_size_grp() so it calculates the size needed based on flags passed. While at it, also add the size of NHA_FDB for nexthop group size calculation as it was missing too.

This cannot be reproduced via iproute2 as the group size is currently limited and the command fails as follows:

addattr_l ERROR: message exceeded bound of 1048

AnalysisAI

Denial of service in Linux kernel nexthop query handling allows local authenticated attackers to crash the kernel by querying nexthop objects with large Equal-Cost Multi-Path groups via the RTM_GETNEXTHOP netlink message. The vulnerability stems from fixed-size socket buffer allocation that overflows when processing nexthop groups exceeding approximately 512 members, triggering a kernel warning and potential system instability.

Technical ContextAI

The vulnerability exists in the IPv4 nexthop module (net/ipv4/nexthop.c) within the rtm_get_nexthop() function, which handles RTM_GETNEXTHOP netlink messages. The code allocated socket buffers using the fixed NLMSG_GOODSIZE constant, inadequate for large nexthop groups used in Equal-Cost Multi-Path (ECMP) routing configurations. The root cause is improper buffer sizing logic that fails to account for variable-length nexthop group data structures. The fix involves replacing fixed allocation with dynamic sizing via nh_nlmsg_size() and nlmsg_new() functions, consistent with the nexthop_notify() code path. Additionally, nh_nlmsg_size_grp() was modified to calculate sizes based on passed flags and include missing NHA_FDB attributes in group size calculations.

RemediationAI

Apply the vendor-released patch from your Linux distribution or build the kernel from upstream commits 615517f3f8d53b0cf41507c7599971e17adfdfa5 or later. Specific patched kernel versions include 6.12.83, 6.19.14, 6.18.24, and 7.0. Verify the fix via git log or your distribution's security advisory. As a temporary compensating control, restrict access to netlink RTM_GETNEXTHOP message handling via user/group permissions or seccomp/AppArmor rules to prevent local users from sending nexthop queries; however, this may break legitimate routing management tools and is not recommended as a long-term mitigation. The kernel patch is strongly preferred as it has no functional side effects - it simply improves buffer allocation from fixed to dynamic sizing. Distributions should prioritize backporting the upstream commits to stable branches used by their customer base.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31531 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy