CVE-2026-31418 - Vulnerability Details

- netfilter: ipset: drop logically empty buckets in mtype_del

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ipset: drop logically empty buckets in mtype_del

mtype_del() counts empty slots below n->pos in k, but it only drops the
bucket when both n->pos and k are zero. This misses buckets whose live
entries have all been removed while n->pos still points past deleted slots.

Treat a bucket as empty when all positions below n->pos are unused and
release it directly instead of shrinking it further.

Published: 2026-04-13

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s ipset subsystem contains a flaw in its bucket deletion logic, causing buckets that have become empty after all entries are removed to remain allocated. This results in wasted memory that can accumulate over time, potentially exhausting available memory and leading to kernel crashes or service interruptions.

Affected Systems

All Linux kernel versions that include the netfilter ipset module and have not yet incorporated the commit that fixes the bucket release logic are affected. Users running older kernels on any distribution that ship an unpatched ipset implementation are susceptible to the potential resource exhaustion described.

Risk and Exploitability

The CVSS score and EPSS data are not provided, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploitation. Based on the description, the likely attack vector is local or privileged code that exercises the ipset bucket deletion path. An attacker could repeatedly trigger bucket deletions to consume memory or force a kernel panic, resulting in a denial‑of‑service condition. The overall risk is moderate to high for environments that heavily rely on ipset configurations and have not applied the patch.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`8af1c6fbd9239877998c7f5a591cb2c88d41fb66`	affected	< ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb
`8af1c6fbd9239877998c7f5a591cb2c88d41fb66`	affected	< 6cea34d7ec6829b62f521a37a287f670144a2233
`8af1c6fbd9239877998c7f5a591cb2c88d41fb66`	affected	< b7eef00f08b92b0b9efe8ae0df6d0005e6199323
`8af1c6fbd9239877998c7f5a591cb2c88d41fb66`	affected	< 68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4
`8af1c6fbd9239877998c7f5a591cb2c88d41fb66`	affected	< ceacaa76f221a6577aba945bb8873c2e640aeba4
`8af1c6fbd9239877998c7f5a591cb2c88d41fb66`	affected	< 9862ef9ab0a116c6dca98842aab7de13a252ae02
`6c717726f341fd8f39a3ec2dcf5d98d9d28a2769`	affected	—
`d2997d64dfa65082236bca1efd596b6c935daf5e`	affected	—

Linux

affected

Version	Status	Constraints
`5.6`	affected	—
`0`	unaffected	< 5.6
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[8af1c6fbd9239877998c7f5a591cb2c88d41fb66,ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb)`	affected	code_commit	—
`[8af1c6fbd9239877998c7f5a591cb2c88d41fb66,6cea34d7ec6829b62f521a37a287f670144a2233)`	affected	code_commit	—
`[8af1c6fbd9239877998c7f5a591cb2c88d41fb66,b7eef00f08b92b0b9efe8ae0df6d0005e6199323)`	affected	code_commit	—
`[8af1c6fbd9239877998c7f5a591cb2c88d41fb66,68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4)`	affected	code_commit	—
`[8af1c6fbd9239877998c7f5a591cb2c88d41fb66,ceacaa76f221a6577aba945bb8873c2e640aeba4)`	affected	code_commit	—
`[8af1c6fbd9239877998c7f5a591cb2c88d41fb66,9862ef9ab0a116c6dca98842aab7de13a252ae02)`	affected	code_commit	—
`6c717726f341fd8f39a3ec2dcf5d98d9d28a2769`	affected	code_commit	—
`d2997d64dfa65082236bca1efd596b6c935daf5e`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.6`	affected	generic	—
`[0,5.6)`	unaffected	semver	—
`[6.1.168,6.2.0)`	unaffected	semver	—
`[6.6.134,6.7.0)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the patch correcting the ipset bucket deletion logic.
Reboot the system to load the new kernel and ensure the patch takes effect.
Verify that ipset commands operate normally and monitor system logs for abnormal memory usage or kernel crashes.
If a kernel upgrade cannot be performed immediately, disable the ipset module or restrict its use until the patch is available.

Generated by OpenCVE AI on April 13, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4
https://git.kernel.org/stable/c/6cea34d7ec6829b62f521a37a287f670144a2233
https://git.kernel.org/stable/c/9862ef9ab0a116c6dca98842aab7de13a252ae02
https://git.kernel.org/stable/c/ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb
https://git.kernel.org/stable/c/b7eef00f08b92b0b9efe8ae0df6d0005e6199323
https://git.kernel.org/stable/c/ceacaa76f221a6577aba945bb8873c2e640aeba4
https://lore.kernel.org/linux-cve-announce/2026041311-CVE-2026-31418-e6b9@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31418
https://www.cve.org/CVERecord?id=CVE-2026-31418

History

Tue, 14 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-399 CWE-401

Tue, 14 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026041311-CVE-2026-31418-e6b9@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31418 https://www.cve.org/CVERecord?id=CVE-2026-31418

Mon, 13 Apr 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: drop logically empty buckets in mtype_del mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots. Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further.
Title		netfilter: ipset: drop logically empty buckets in mtype_del
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4 https://git.kernel.org/stable/c/6cea34d7ec6829b62f521a37a287f670144a2233 https://git.kernel.org/stable/c/9862ef9ab0a116c6dca98842aab7de13a252ae02 https://git.kernel.org/stable/c/ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb https://git.kernel.org/stable/c/b7eef00f08b92b0b9efe8ae0df6d0005e6199323 https://git.kernel.org/stable/c/ceacaa76f221a6577aba945bb8873c2e640aeba4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-13T13:21:05.316Z

Updated: 2026-04-13T13:21:05.316Z

Reserved: 2026-03-09T15:48:24.087Z

Link: CVE-2026-31418

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-13T14:16:11.267

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-31418

Redhat

Severity :

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-31418 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:34:30Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object