Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: conntrack: add missing netlink policy validations

Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.

These attributes are used by the kernel without any validation.
Extend the netlink policies accordingly.

Quoting the reporter:
nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE
value directly to ct->proto.sctp.state without checking that it is
within the valid range. [..]

and: ... with exp->dir = 100, the access at
ct->master->tuplehash[100] reads 5600 bytes past the start of a
320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by
UBSAN.
Published: 2026-04-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel out‑of‑bounds read leading to information disclosure
Action: Apply patch
AI Analysis

Impact

An attacker may send crafted netlink messages to the conntrack subsystem that overwrite the SCTP state or access an invalid tuple hash index. The kernel then reads beyond the boundaries of the netfilter connection object, exposing up to several kilobytes of kernel memory. This out‑of‑bounds read is a classic buffer overread (CWE‑125) and can leak sensitive data such as kernel addresses or user credentials.

Affected Systems

All Linux kernel builds before the patch that adds netlink policy validation are affected. The vulnerability is present in the kernel’s netfilter conntrack code and therefore applies to every distribution that ships an unmodified Linux kernel, including major distros such as Ubuntu, CentOS, Debian, RHEL and others. No specific version list is provided in the advisory, so any kernel older than the commit that introduced the fix is at risk.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1 % suggests that exploitation opportunities are expected to be rare. The vulnerability requires the ability to send netlink commands with CAP_NET_ADMIN, so a local attacker who has or can obtain that capability would be able to trigger the fault. The fix is not yet in KEV, and because the flaw is an out‑of‑bounds read rather than an arbitrary code execution, the impact is limited to information disclosure unless combined with further vulnerabilities.

Generated by OpenCVE AI on April 7, 2026 at 09:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a release that includes commit c0fbae1e74493… or f900e1d77ee0… that introduces the missing policy validation.
  • Verify the patch is present by checking the kernel version or running dmesg for the commit message.
  • If an update cannot be applied immediately, restrict use of conntrack netlink operations to trusted users and avoid sending custom SCTP state attributes.

Generated by OpenCVE AI on April 7, 2026 at 09:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Wed, 22 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-20
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 06 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.
Title netfilter: conntrack: add missing netlink policy validations
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-27T14:02:54.741Z

Reserved: 2026-03-09T15:48:24.086Z

Link: CVE-2026-31407

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T08:16:38.623

Modified: 2026-04-27T14:16:36.813

Link: CVE-2026-31407

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-06T00:00:00Z

Links: CVE-2026-31407 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:52:37Z

Weaknesses