CVE-2026-31405 - Vulnerability Details

- media: dvb-net: fix OOB access in ULE extension header tables

Description

In the Linux kernel, the following vulnerability has been resolved:

media: dvb-net: fix OOB access in ULE extension header tables

The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables
in handle_one_ule_extension() are declared with 255 elements (valid
indices 0-254), but the index htype is derived from network-controlled
data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When
htype equals 255, an out-of-bounds read occurs on the function pointer
table, and the OOB value may be called as a function pointer.

Add a bounds check on htype against the array size before either table
is accessed. Out-of-range values now cause the SNDU to be discarded.

Published: 2026-04-06

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A missing bounds check in the Linux kernel media dvb‑net driver allows an out‑of‑bounds read of function pointer tables when the ULE extension type field is set to 255. The invalid index can cause the kernel to invoke an unintended function pointer, potentially allowing an attacker to execute arbitrary code with kernel privileges. The vulnerability is a classic example of a bounds check failure (CWE‑1285).

Affected Systems

All Linux kernel versions that contain the dvb‑net driver without the recent patch are affected. No specific version range is listed, so any kernel before the fix is considered vulnerable. The issue arises in the handling of ULE extension tables received from network‑controlled data streams over DVB interfaces.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is below 1%. The vulnerability is not in the CISA KEV catalog. However, the impact is severe because execution occurs with kernel privileges. The attack requires the ability to send crafted DVB network data containing a ULE extension with type 255 to a vulnerable system. The exploit is likely to be performed over a network interface, so systems exposed to external DVB traffic should be considered at risk. Due to the low EPSS, widespread exploitation is not yet common, but the potential for remote kernel compromise warrants immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< e51238718217c4abdb3ccc3b0c0cde265c7ec629
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< b2bd2ee73b697c177157bba534e1b1064c2e66a0
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 29ef43ceb121d67b87f4cbb08439e4e9e732eff8
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 1a6da3dbb9985d00743073a1cc1f96e59f5abc30
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 145e50c2c700fa52b840df7bab206043997dd18e
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< f2b65dcb78c8990e4c68a906627433be1fe38a92
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 24d87712727a5017ad142d63940589a36cd25647

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,29ef43ceb121d67b87f4cbb08439e4e9e732eff8)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,1a6da3dbb9985d00743073a1cc1f96e59f5abc30)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,145e50c2c700fa52b840df7bab206043997dd18e)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f2b65dcb78c8990e4c68a906627433be1fe38a92)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,24d87712727a5017ad142d63940589a36cd25647)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.12`	affected	semver	—
`[0,2.6.12)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the bounds‑check patch for the dvb‑net driver.
Verify the kernel version to ensure the fix is present.
If an update is not yet available, suspend or restrict use of DVB interfaces on the affected host.
Monitor vendor advisories and kernel mailing list releases for the patch date and apply hotfixes promptly.

Generated by OpenCVE AI on April 7, 2026 at 09:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/145e50c2c700fa52b840df7bab206043997dd18e
https://git.kernel.org/stable/c/1a6da3dbb9985d00743073a1cc1f96e59f5abc30
https://git.kernel.org/stable/c/24d87712727a5017ad142d63940589a36cd25647
https://git.kernel.org/stable/c/29ef43ceb121d67b87f4cbb08439e4e9e732eff8
https://git.kernel.org/stable/c/8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe
https://git.kernel.org/stable/c/b2bd2ee73b697c177157bba534e1b1064c2e66a0
https://git.kernel.org/stable/c/e51238718217c4abdb3ccc3b0c0cde265c7ec629
https://git.kernel.org/stable/c/f2b65dcb78c8990e4c68a906627433be1fe38a92
https://lore.kernel.org/linux-cve-announce/2026040603-CVE-2026-31405-8cfb@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31405
https://www.cve.org/CVERecord?id=CVE-2026-31405

History

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/b2bd2ee73b697c177157bba534e1b1064c2e66a0 https://git.kernel.org/stable/c/e51238718217c4abdb3ccc3b0c0cde265c7ec629

Tue, 07 Apr 2026 08:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119 CWE-125

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-125 CWE-1285
References		https://lore.kernel.org/linux-cve-announce/2026040603-CVE-2026-31405-8cfb@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31405 https://www.cve.org/CVERecord?id=CVE-2026-31405

Mon, 06 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be called as a function pointer. Add a bounds check on htype against the array size before either table is accessed. Out-of-range values now cause the SNDU to be discarded.
Title		media: dvb-net: fix OOB access in ULE extension header tables
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/145e50c2c700fa52b840df7bab206043997dd18e https://git.kernel.org/stable/c/1a6da3dbb9985d00743073a1cc1f96e59f5abc30 https://git.kernel.org/stable/c/24d87712727a5017ad142d63940589a36cd25647 https://git.kernel.org/stable/c/29ef43ceb121d67b87f4cbb08439e4e9e732eff8 https://git.kernel.org/stable/c/8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe https://git.kernel.org/stable/c/f2b65dcb78c8990e4c68a906627433be1fe38a92

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-06T07:33:00.544Z

Updated: 2026-04-27T14:02:52.534Z

Reserved: 2026-03-09T15:48:24.086Z

Link: CVE-2026-31405

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-06T08:16:38.253

Modified: 2026-04-27T14:16:36.520

Link: CVE-2026-31405

Redhat

Severity :

Publid Date: 2026-04-06T00:00:00Z

Links: CVE-2026-31405 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-08T19:52:38Z

Weaknesses

CWE-1285

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object