Description
In the Linux kernel, the following vulnerability has been resolved:

udp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected.

Let's say we bind() an UDP socket to the wildcard address with a
non-zero port, connect() it to an address, and disconnect it from
the address.

bind() sets SOCK_BINDPORT_LOCK on sk->sk_userlocks (but not
SOCK_BINDADDR_LOCK), and connect() calls udp_lib_hash4() to put
the socket into the 4-tuple hash table.

Then, __udp_disconnect() calls sk->sk_prot->rehash(sk).

It computes a new hash based on the wildcard address and moves
the socket to a new slot in the 4-tuple hash table, leaving a
garbage in the chain that no packet hits.

Let's remove such a socket from 4-tuple hash table when disconnected.

Note that udp_sk(sk)->udp_portaddr_hash needs to be udpated after
udp_hash4_dec(hslot2) in udp_unhash4().
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Kernel integrity or availability due to hash table inconsistency
Action: Immediate Patch
AI Analysis

Impact

A bug in the Linux kernel allows an automatically bound UDP socket to remain in the 4‑tuple hash table after the socket is disconnected. The lingering entry is not removed correctly, creating a garbage reference that may cause incorrect packet routing or kernel memory corruption. The description does not detail direct information leakage or privilege escalation, but the improper hash handling could lead to kernel instability.

Affected Systems

The vulnerability affects all Linux kernel versions that contain the affected UDP socket handling code, as listed in the Common Platform Enumeration: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* No specific sub‑release or build is named; the issue applies to any kernel that has not been patched to remove the broken hash logic.

Risk and Exploitability

The CVSS score of 5.5 places the vulnerability in the moderate severity band, while the EPSS score of less than 1% indicates it is unlikely to be widely exploited. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Due to the kernel and socket nature of the flaw, the attack vector is inferred to be local, requiring the attacker to be able to manipulate UDP sockets on the affected host. Exploitation would potentially cause a kernel crash or reduced network reliability, impacting system availability.

Generated by OpenCVE AI on March 26, 2026 at 13:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that contains the fix for this unhash bug

Generated by OpenCVE AI on March 26, 2026 at 13:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-590
CWE-791

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-590
CWE-791

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: udp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected. Let's say we bind() an UDP socket to the wildcard address with a non-zero port, connect() it to an address, and disconnect it from the address. bind() sets SOCK_BINDPORT_LOCK on sk->sk_userlocks (but not SOCK_BINDADDR_LOCK), and connect() calls udp_lib_hash4() to put the socket into the 4-tuple hash table. Then, __udp_disconnect() calls sk->sk_prot->rehash(sk). It computes a new hash based on the wildcard address and moves the socket to a new slot in the 4-tuple hash table, leaving a garbage in the chain that no packet hits. Let's remove such a socket from 4-tuple hash table when disconnected. Note that udp_sk(sk)->udp_portaddr_hash needs to be udpated after udp_hash4_dec(hslot2) in udp_unhash4().
Title udp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected.
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:05:10.919Z

Reserved: 2026-01-13T15:37:45.996Z

Link: CVE-2026-23331

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:30.510

Modified: 2026-04-23T21:13:28.780

Link: CVE-2026-23331

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23331 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:49:41Z

Weaknesses