Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: ipset: drop logically empty buckets in mtype_del

mtype_del() counts empty slots below n->pos in k, but it only drops the
bucket when both n->pos and k are zero. This misses buckets whose live
entries have all been removed while n->pos still points past deleted slots.

Treat a bucket as empty when all positions below n->pos are unused and
release it directly instead of shrinking it further.
Published: 2026-04-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s ipset subsystem contains a flaw in its bucket deletion logic, causing buckets that have become empty after all entries are removed to remain allocated. This leads to wasted memory that can accumulate over time and may result in memory exhaustion, kernel crashes, or service interruptions.

Affected Systems

All Linux kernel versions that include the netfilter ipset module and have not yet incorporated the commit that fixes the bucket release logic are affected. Users running older kernels on any distribution that ship an unpatched ipset implementation are susceptible to the potential resource exhaustion described.

Risk and Exploitability

The CVSS score is 5.5 and the EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploitation. Based on the description, the likely attack vector is local or privileged code that exercises the ipset bucket deletion path. An attacker could repeatedly trigger bucket deletions to consume memory or force a kernel panic, resulting in a denial‑of‑service condition. The overall risk is moderate for environments that rely heavily on ipset configurations and have not applied the patch.

Generated by OpenCVE AI on May 20, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch correcting the ipset bucket deletion logic.
  • Reboot the system to load the new kernel and ensure the patch takes effect.
  • If a kernel upgrade cannot be performed immediately, disable the ipset module or restrict its use until the patch is available.

Generated by OpenCVE AI on May 20, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 20 May 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399
CWE-401

Wed, 20 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:5.6:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.6:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.6:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.6:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.6:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399
CWE-401

Tue, 14 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
References

Mon, 13 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: drop logically empty buckets in mtype_del mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots. Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further.
Title netfilter: ipset: drop logically empty buckets in mtype_del
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:04:57.387Z

Reserved: 2026-03-09T15:48:24.087Z

Link: CVE-2026-31418

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T14:16:11.267

Modified: 2026-05-20T19:32:14.053

Link: CVE-2026-31418

cve-icon Redhat

Severity :

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-31418 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T23:30:41Z

Weaknesses