Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: xt_multiport: validate range encoding in checkentry

ports_match_v1() treats any non-zero pflags entry as the start of a
port range and unconditionally consumes the next ports[] element as
the range end.

The checkentry path currently validates protocol, flags and count, but
it does not validate the range encoding itself. As a result, malformed
rules can mark the last slot as a range start or place two range starts
back to back, leaving ports_match_v1() to step past the last valid
ports[] element while interpreting the rule.

Reject malformed multiport v1 rules in checkentry by validating that
each range start has a following element and that the following element
is not itself marked as another range start.
Published: 2026-04-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains a flaw in the netfilter xt_multiport module where the ports_match_v1() routine mistakenly interprets any non‑zero flag as the beginning of a port range and consumes the next array element as the range end, even when the range encoding is malformed. Because the entry point that registers the rule does not validate that each range start is followed by a proper match end, an attacker can craft a rule that causes ports_match_v1() to read past the last valid element. This out‑of‑bounds read can trigger a kernel panic (Denial of Service) or result in mis‑applied packet‑filtering logic, potentially allowing traffic that should be blocked.

Affected Systems

All Linux kernel configurations that have not incorporated the recent commit are vulnerable, regardless of distribution. This includes every released kernel version prior to the integration of the fix. Administrators should review whether their running kernel contains the patch referenced in the advisory commits and ensure that no legacy or custom builds remain in use.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity, and an EPSS score of less than 1% suggests a very low probability of exploitation at the time of reporting. The vulnerability is not listed in CISA KEV, implying no known public exploit. The most likely attack vector is local or administrative, as the flaw is triggered by injecting malformed rules into iptables or nftables, which typically requires privileged access. If an attacker were able to gain that privilege, they could cause a kernel crash or alter packet filtering behavior.

Generated by OpenCVE AI on May 6, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fix for CVE‑2026‑31681 or apply the patch from the commit URLs in the advisory
  • Validate existing multiport rules and correct any malformed range encodings to ensure each range start is followed by a proper end
  • Restrict the ability to modify netfilter rules to privileged users only and enable logging or auditing to detect unauthorized changes

Generated by OpenCVE AI on May 6, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Wed, 06 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Sat, 25 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_multiport: validate range encoding in checkentry ports_match_v1() treats any non-zero pflags entry as the start of a port range and unconditionally consumes the next ports[] element as the range end. The checkentry path currently validates protocol, flags and count, but it does not validate the range encoding itself. As a result, malformed rules can mark the last slot as a range start or place two range starts back to back, leaving ports_match_v1() to step past the last valid ports[] element while interpreting the rule. Reject malformed multiport v1 rules in checkentry by validating that each range start has a following element and that the following element is not itself marked as another range start.
Title netfilter: xt_multiport: validate range encoding in checkentry
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:34.942Z

Reserved: 2026-03-09T15:48:24.130Z

Link: CVE-2026-31681

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-25T09:16:01.800

Modified: 2026-05-06T21:21:50.587

Link: CVE-2026-31681

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-25T00:00:00Z

Links: CVE-2026-31681 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:00:15Z

Weaknesses