Description
In the Linux kernel, the following vulnerability has been resolved:

tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG

The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements
bc_ackers on every inbound group ACK, even when the same member has
already acknowledged the current broadcast round.

Because bc_ackers is a u16, a duplicate ACK received after the last
legitimate ACK wraps the counter to 65535. Once wrapped,
tipc_group_bc_cong() keeps reporting congestion and later group
broadcasts on the affected socket stay blocked until the group is
recreated.

Fix this by ignoring duplicate or stale ACKs before touching bc_acked or
bc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and
prevents the underflow path.
Published: 2026-04-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

In the Linux kernel, TIPC’s group broadcast acknowledgment handling incorrectly decrements a 16‑bit counter for every received ACK. Duplicate ACKs after the final legitimate one wrap the counter to 65535, causing the module to report persistent congestion and permanently blocking subsequent broadcasts on the affected socket. This integer underflow (CWE‑191) results in a denial‑of‑service condition affecting TIPC group communications.

Affected Systems

Vulnerable kernel releases include Linux kernel 4.15 and every 7.0 release candidate from rc1 through rc7, as identified by the affected CPE strings. All distributions shipping one of these kernel versions could be impacted until the patch is applied.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to inject or replay duplicate GRP_ACK_MSGs to a TIPC group, which is likely limited to a local or privileged network context; based on the description, the attack vector is inferred to be local or network, not remote code execution.

Generated by OpenCVE AI on April 28, 2026 at 06:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a patched kernel version from the upstream Linux project or your distribution’s repository.
  • If a patch is not immediately available, disable or restrict TIPC broadcast groups on critical services to mitigate the denial of service risk.
  • Monitor system logs for repeated TIPC ACK messages or congestion warnings and verify the resolution in subsequent kernel updates.

Generated by OpenCVE AI on April 28, 2026 at 06:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:4.15:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-191
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements bc_ackers on every inbound group ACK, even when the same member has already acknowledged the current broadcast round. Because bc_ackers is a u16, a duplicate ACK received after the last legitimate ACK wraps the counter to 65535. Once wrapped, tipc_group_bc_cong() keeps reporting congestion and later group broadcasts on the affected socket stay blocked until the group is recreated. Fix this by ignoring duplicate or stale ACKs before touching bc_acked or bc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and prevents the underflow path.
Title tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:09.670Z

Reserved: 2026-03-09T15:48:24.129Z

Link: CVE-2026-31662

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:45.820

Modified: 2026-04-27T20:17:55.973

Link: CVE-2026-31662

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31662 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T06:15:24Z

Weaknesses