Description
In the Linux kernel, the following vulnerability has been resolved:

net/sched: sch_netem: fix out-of-bounds access in packet corruption

In netem_enqueue(), the packet corruption logic uses
get_random_u32_below(skb_headlen(skb)) to select an index for
modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear
packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0.

Passing 0 to get_random_u32_below() takes the variable-ceil slow path
which returns an unconstrained 32-bit random integer. Using this
unconstrained value as an offset into skb->data results in an
out-of-bounds memory access.

Fix this by verifying skb_headlen(skb) is non-zero before attempting
to corrupt the linear data area. Fully non-linear packets will silently
bypass the corruption logic.
Published: 2026-04-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability manifests when the sch_netem packet corruption routine selects a random index based on skb_headlen(skb). When a fully non‑linear packet is transmitted via an AF_PACKET TX_RING over an IPIP tunnel, skb_headlen is zero. Passing zero to the random function yields an unconstrained 32‑bit value, which is then used as an offset into skb->data, causing an out‑of-bounds memory access. This corruption can lead to a kernel panic or, in the worst case, adverse memory state that could be leveraged for privilege escalation.

Affected Systems

All Linux kernel builds where the netem packet corruption feature is enabled are affected, regardless of distribution or vendor, as the CNAs list only Linux:Linux. No specific version banner is provided, so the issue may exist in any kernel containing the referenced code path.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity. An EPSS score of <1% implies a very low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, reducing immediate threat visibility. Exploitation requires an attacker to send crafted non‑linear packets to a host with the netem packet corruption logic active, likely from a local or network position that can influence the packet stream. Successful exploitation could crash the kernel or corrupt memory, leading to denial of service or potential privilege escalation if the attacker can control the random offset further.

Generated by OpenCVE AI on May 6, 2026 at 22:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the patch for sch_netem packet corruption
  • If a kernel upgrade is not immediately possible, restructure netem configurations to avoid passing fully non‑linear packets through the corruption logic, or disable the packet corruption feature entirely
  • Monitor system logs for kernel panics or abnormal packet handling as a reminder to apply the update promptly

Generated by OpenCVE AI on May 6, 2026 at 22:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 25 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using this unconstrained value as an offset into skb->data results in an out-of-bounds memory access. Fix this by verifying skb_headlen(skb) is non-zero before attempting to corrupt the linear data area. Fully non-linear packets will silently bypass the corruption logic.
Title net/sched: sch_netem: fix out-of-bounds access in packet corruption
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:27.983Z

Reserved: 2026-03-09T15:48:24.130Z

Link: CVE-2026-31675

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-25T09:16:01.100

Modified: 2026-05-06T21:33:21.950

Link: CVE-2026-31675

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-25T00:00:00Z

Links: CVE-2026-31675 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:00:15Z

Weaknesses