Description
In the Linux kernel, the following vulnerability has been resolved:

openvswitch: validate MPLS set/set_masked payload length

validate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for
SET/SET_MASKED actions. In action handling, OVS expects fixed-size
MPLS key data (struct ovs_key_mpls).

Use the already normalized key_len (masked case included) and reject
non-matching MPLS action key sizes.

Reject invalid MPLS action payload lengths early.
Published: 2026-04-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s openvswitch component includes a function validate_set() that mistakenly treats the OVS_KEY_ATTR_MPLS attribute as a variable‑sized payload for SET and SET_MASKED operations. OVS, however, expects a fixed‑size struct representing an MPLS key. Because the kernel fails to reject mismatched payload lengths, an attacker can supply an incorrectly sized MPLS action, potentially causing memory corruption within the kernel and resulting in a crash. The described weakness is a type 1284 error—out‑of‑bounds access that can lead to denial of service.

Affected Systems

All Linux kernel builds that incorporate the openvswitch stack are potentially impacted. The advisory lists kernel CPEs for versions 7.0 rc1 through rc5, indicating that any running kernel containing the vulnerable openvswitch code path should be considered at risk until the patch is applied.

Risk and Exploitability

The CVSS score of 7.1 classifies this vulnerability as high severity. The EPSS score of less than 1% suggests a low likelihood of current exploitation. It is not present in the CISA KEV catalog. Based on the nature of the bug, the likely attack vector would involve delivering a maliciously crafted MPLS packet to a target system that has openvswitch enabled. This inference is drawn from the fact that validate_set() is invoked during MPLS action handling, but the advisory does not explicitly confirm the exact exploitation method.

Generated by OpenCVE AI on May 7, 2026 at 00:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the fix for validate_set() for MPLS keys
  • Reboot the system so the updated kernel is active
  • Temporarily block or reject MPLS traffic in Open vSwitch until the update is applied

Generated by OpenCVE AI on May 7, 2026 at 00:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 06 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Mon, 27 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Openvswitch
Openvswitch openvswitch
Vendors & Products Openvswitch
Openvswitch openvswitch

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 25 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: openvswitch: validate MPLS set/set_masked payload length validate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for SET/SET_MASKED actions. In action handling, OVS expects fixed-size MPLS key data (struct ovs_key_mpls). Use the already normalized key_len (masked case included) and reject non-matching MPLS action key sizes. Reject invalid MPLS action payload lengths early.
Title openvswitch: validate MPLS set/set_masked payload length
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
Openvswitch Openvswitch
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:32.583Z

Reserved: 2026-03-09T15:48:24.130Z

Link: CVE-2026-31679

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-25T09:16:01.550

Modified: 2026-05-06T21:25:09.453

Link: CVE-2026-31679

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-25T00:00:00Z

Links: CVE-2026-31679 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T00:15:05Z

Weaknesses