Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: conntrack: add missing netlink policy validations

Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.

These attributes are used by the kernel without any validation.
Extend the netlink policies accordingly.

Quoting the reporter:
nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE
value directly to ct->proto.sctp.state without checking that it is
within the valid range. [..]

and: ... with exp->dir = 100, the access at
ct->master->tuplehash[100] reads 5600 bytes past the start of a
320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by
UBSAN.
Published: 2026-04-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, missing netlink policy checks in the conntrack subsystem allow a crafted netlink message to set the SCTP state value or an invalid tuple hash index directly. The kernel then performs an out‑of‑bounds read on the nf_conn object, exposing portions of kernel memory. The flaw is a classical buffer overread (CWE‑125) and potentially an out‑of‑bounds write (CWE‑787), both resulting from the missing policy validation that accepts user‑supplied attributes without checking their validity. This can leak kernel addresses, user credentials, or other sensitive data, but it does not provide arbitrary code execution. The description indicates that the fault manifests when the kernel processes the user‑supplied attributes without validation.

Affected Systems

All Linux kernel releases that have not incorporated the patch commits adding netlink policy validation are affected. This includes any distribution running an unmodified Linux kernel built before the relevant commit. No specific version list is provided, so any kernel older than the commit is at risk.

Risk and Exploitability

The CVSS score of 7.1 denotes high severity, and the EPSS score of less than 1 % suggests exploitation opportunities are rare. It is inferred that an attacker must be able to send netlink commands with CAP_NET_ADMIN or otherwise gain privileged local access to trigger the fault. The flaw is listed outside the CISA KEV catalog and, being an out‑of‑bounds read/write, generally leads to information disclosure unless chained to other weaknesses.

Generated by OpenCVE AI on May 20, 2026 at 17:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a release that includes commit c0fbae1e74493… or f900e1d77ee0… implementing the missing policy validation
  • If an immediate kernel upgrade is not possible, restrict or remove CAP_NET_ADMIN privileges for untrusted users and, if supported, disable the conntrack netlink interface to prevent sending crafted messages
  • Subscribe to the distribution's security advisories and apply future kernel updates that include the fix as they become available

Generated by OpenCVE AI on May 20, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Wed, 22 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-20
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 06 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.
Title netfilter: conntrack: add missing netlink policy validations
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:08:06.853Z

Reserved: 2026-03-09T15:48:24.086Z

Link: CVE-2026-31407

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T08:16:38.623

Modified: 2026-05-20T16:22:08.980

Link: CVE-2026-31407

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-06T00:00:00Z

Links: CVE-2026-31407 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T17:45:36Z

Weaknesses