{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23331", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.996Z", "datePublished": "2026-03-25T10:27:22.526Z", "dateUpdated": "2026-03-25T10:27:22.526Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:22.526Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected.\n\nLet's say we bind() an UDP socket to the wildcard address with a\nnon-zero port, connect() it to an address, and disconnect it from\nthe address.\n\nbind() sets SOCK_BINDPORT_LOCK on sk->sk_userlocks (but not\nSOCK_BINDADDR_LOCK), and connect() calls udp_lib_hash4() to put\nthe socket into the 4-tuple hash table.\n\nThen, __udp_disconnect() calls sk->sk_prot->rehash(sk).\n\nIt computes a new hash based on the wildcard address and moves\nthe socket to a new slot in the 4-tuple hash table, leaving a\ngarbage in the chain that no packet hits.\n\nLet's remove such a socket from 4-tuple hash table when disconnected.\n\nNote that udp_sk(sk)->udp_portaddr_hash needs to be udpated after\nudp_hash4_dec(hslot2) in udp_unhash4()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/udp.c"], "versions": [{"version": "78c91ae2c6deb5d236a5a93ff2995cdd05514380", "lessThan": "b955350778b8715e1b7885179979b3a68221c0fb", "status": "affected", "versionType": "git"}, {"version": "78c91ae2c6deb5d236a5a93ff2995cdd05514380", "lessThan": "3b8f104880c104151f8c30f2f89df81fb59a286c", "status": "affected", "versionType": "git"}, {"version": "78c91ae2c6deb5d236a5a93ff2995cdd05514380", "lessThan": "6996a2d2d0a64808c19c98002aeb5d9d1b2df6a4", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/udp.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b955350778b8715e1b7885179979b3a68221c0fb"}, {"url": "https://git.kernel.org/stable/c/3b8f104880c104151f8c30f2f89df81fb59a286c"}, {"url": "https://git.kernel.org/stable/c/6996a2d2d0a64808c19c98002aeb5d9d1b2df6a4"}], "title": "udp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected.", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected.\n\nLet's say we bind() an UDP socket to the wildcard address with a\nnon-zero port, connect() it to an address, and disconnect it from\nthe address.\n\nbind() sets SOCK_BINDPORT_LOCK on sk->sk_userlocks (but not\nSOCK_BINDADDR_LOCK), and connect() calls udp_lib_hash4() to put\nthe socket into the 4-tuple hash table.\n\nThen, __udp_disconnect() calls sk->sk_prot->rehash(sk).\n\nIt computes a new hash based on the wildcard address and moves\nthe socket to a new slot in the 4-tuple hash table, leaving a\ngarbage in the chain that no packet hits.\n\nLet's remove such a socket from 4-tuple hash table when disconnected.\n\nNote that udp_sk(sk)->udp_portaddr_hash needs to be udpated after\nudp_hash4_dec(hslot2) in udp_unhash4()."}], "id": "CVE-2026-23331", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:30.510", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3b8f104880c104151f8c30f2f89df81fb59a286c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6996a2d2d0a64808c19c98002aeb5d9d1b2df6a4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b955350778b8715e1b7885179979b3a68221c0fb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: udp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected", "id": "2451190", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451190"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["A flaw was found in the Linux kernel's handling of User Datagram Protocol (UDP) sockets. When an auto-bound UDP socket is connected and subsequently disconnected, it may not be properly unhashed from the 4-tuple hash table. This oversight can lead to the accumulation of stale entries, potentially causing resource exhaustion or performance degradation and resulting in a Denial of Service (DoS)."], "name": "CVE-2026-23331", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23331\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23331\nhttps://lore.kernel.org/linux-cve-announce/2026032532-CVE-2026-23331-735b@gregkh/T"], "statement": "This flaw affects UDP socket handling when applications repeatedly connect and disconnect sockets bound to wildcard addresses. The stale hash entries accumulate in the 4-tuple hash table, causing lookup inefficiency and potential hash chain degradation. The impact is gradual performance degradation rather than an immediate system crash.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T12:39:19.432428+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a release containing the UDP hash table cleanup patch", "Reboot the system or restart networking services to load the updated kernel", "Verify the running kernel version with \"uname -r\" and confirm it matches a patched release", "If a kernel upgrade cannot be performed immediately, restrict or block incoming UDP traffic to mitigate potential exploitation"], "summary": {"action": "Apply Patch", "impact": "Kernel Crash / Denial of Service"}, "threat_synthesis": {"affected_systems": "All versions of the Linux kernel that implement the 4\u2011tuple hash table for UDP sockets are affected. No version restrictions are listed; any kernel running before the commit that introduced the fix remains vulnerable.", "description_and_impact": "A flaw emerges when a UDP socket is auto\u2011bound to a wildcard address, connected to a remote peer, and later disconnected. The Linux kernel moves the socket to a new hash table slot but fails to remove the old reference, leaving a stale entry. If later accessed, this dangling pointer can lead to kernel memory corruption and system crashes, potentially providing a local denial\u2011of\u2011service vector.", "risk_and_exploitability": "The CVSS score is not provided, but the absence of a public exploit and lack of a record in the CISA database suggest the risk level is high only if an attacker can deliberately create, connect, and disconnect a UDP socket on the target. Such an action may be feasible for local users or remotely via crafted UDP traffic. The primary threat is kernel crash leading to system availability loss; no immediate remote privilege escalation is demonstrated. System administrators should treat this as a serious security issue and apply the patch promptly."}}}}, "created": "2026-03-25T21:32:22.531012+00:00", "updated": "2026-03-25T21:32:22.531043+00:00", "vendors": [], "weaknesses": ["CWE-590", "CWE-791"]}