Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()

Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS.

rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].
Validate addrnr during rule installation so malformed rules are rejected
before the match logic can use an out-of-range value.
Published: 2026-04-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a logic flaw in the netfilter ip6t_rt module of the Linux kernel. When a rule is installed, the number of addresses (addrnr) is not validated. An attacker can supply an oversized addrnr that exceeds the IP6T_RT_HOPS limit, causing rt_mt6() to read beyond the bounds of the address array. This out-of-bounds read can trigger a kernel panic, resulting in a system crash and denial of service. The weakness is identified as the out-of-bounds array access described by CWE-1284.

Affected Systems

The flaw appears in all Linux kernel builds that ship with the ip6t_rt match module before the patch is applied. The CVE data does not list specific kernel releases, so any unpatched kernel running this module is potentially vulnerable. This includes mainstream distributions featuring the default kernel as well as custom or older kernels that still include the match module.

Risk and Exploitability

The CVSS score of 7.1 places the vulnerability in the moderate-to-high severity range. The EPSS score indicates a very low likelihood of exploitation (<1%). The CVE is not listed in the CISA KEV catalog, suggesting no known widespread active exploits. The likely attack vector involves the ability to create or modify iptables rules that use the rt module. This requirement is inferred from typical privilege needs for iptables manipulation and is typically a local privilege scenario. As a result, the vulnerability can be exploited to crash the system when an attacker with sufficient privileges installs a malformed rule, but it does not appear to provide remote code execution or broad privilege escalation.

Generated by OpenCVE AI on May 6, 2026 at 22:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a recent Linux kernel update that includes the netfilter ip6t_rt patch.
  • If an immediate kernel upgrade is infeasible, unload or disable the ip6t_rt kernel module until the patch is applied.
  • Restrict the creation of iptables rules that use the rt match module to trusted privileged users only.
  • Monitor for anomalous rule insertions that reference an oversized addrnr and audit such attempts.

Generated by OpenCVE AI on May 6, 2026 at 22:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 25 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation so malformed rules are rejected before the match logic can use an out-of-range value.
Title netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:26.826Z

Reserved: 2026-03-09T15:48:24.130Z

Link: CVE-2026-31674

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-25T09:16:00.963

Modified: 2026-05-06T21:34:51.447

Link: CVE-2026-31674

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-25T00:00:00Z

Links: CVE-2026-31674 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:00:15Z

Weaknesses