Skip to main content

Linux Kernel EUVDEUVD-2026-26565

| CVE-2026-31752 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 19:22 vuln.today
CVSS changed
May 07, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26565
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

bridge: br_nd_send: validate ND option lengths

br_nd_send() walks ND options according to option-provided lengths. A malformed option can make the parser advance beyond the computed option span or use a too-short source LLADDR option payload.

Validate option lengths against the remaining NS option area before advancing, and only read source LLADDR when the option is large enough for an Ethernet address.

AnalysisAI

Denial of service in Linux kernel bridge module via malformed IPv6 Neighbor Discovery options allows local authenticated attackers to crash the system by crafting packets with invalid ND option lengths that cause memory access violations in the br_nd_send() function. The vulnerability affects kernel versions 4.15 and later across multiple stable branches. EPSS exploitation probability is very low at 0.02%, reflecting the requirement for local authenticated access and low attack complexity.

Technical ContextAI

The vulnerability exists in the Linux kernel's bridge module, specifically in the br_nd_send() function which processes IPv6 Neighbor Discovery (ND) options. ND is part of ICMPv6 and uses a variable-length option format where each option header includes a length field indicating the option's size. The br_nd_send() function walks through these options by advancing a pointer according to the length values without validating that the specified lengths fit within the remaining ND option area. This allows a malformed option with an excessively large length value to cause the parser to read beyond allocated memory bounds. Additionally, the source Link-Layer Address (LLADDR) option is accessed without confirming the option payload is large enough to contain a complete Ethernet address (6 bytes), risking out-of-bounds reads. The fix adds validation of option lengths against remaining buffer space before parser advancement and ensures source LLADDR options have sufficient length before accessing the address payload.

RemediationAI

Update Linux kernel to patched versions: 5.10.253 or later (5.10 series), 5.15.203 or later (5.15 series), 6.1.168 or later (6.1 series), 6.6.134 or later (6.6 series), 6.12.81 or later (6.12 series), 6.18.22 or later (6.18 series), 6.19.12 or later (6.19 series), or 7.0 or later. Patches are available via git.kernel.org/stable referenced in CVE data. As a temporary mitigating control with significant limitations, disable IPv6 bridge forwarding if not operationally required by setting 'net.ipv6.conf.all.forwarding=0' and 'net.ipv6.conf.default.forwarding=0' via sysctl; however, this disables all IPv6 routing and should only be used as a stopgap on systems unable to patch immediately. Kernel upgrade is the recommended path; no architectural workarounds exist that preserve bridge IPv6 functionality while preventing ND option processing.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26565 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy