Description
In the Linux kernel, the following vulnerability has been resolved:

bridge: br_nd_send: linearize skb before parsing ND options

br_nd_send() parses neighbour discovery options from ns->opt[] and
assumes that these options are in the linear part of request.

Its callers only guarantee that the ICMPv6 header and target address
are available, so the option area can still be non-linear. Parsing
ns->opt[] in that case can access data past the linear buffer.

Linearize request before option parsing and derive ns from the linear
network header.
Published: 2026-04-25
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

br_nd_send() in the Linux kernel parses neighbour discovery options directly from the packet buffer, assuming that the options reside in the linear part of the skb. The callers only guarantee that the ICMPv6 header and target address are linear, leaving the option area potentially non‑linear. When this assumption is violated, parsing ns->opt[] can read past the linear buffer, resulting in an out‑of‑bounds read or write that corrupts kernel memory. The flaw is classified as CWE‑788 and carries a CVSS score of 9.1, indicating a high‑severity weakness that could compromise kernel integrity.

Affected Systems

All Linux kernel builds that include the bridge module and the br_nd_send function are potentially affected. The vulnerability is present before the fix referenced in the listed git commits, and no specific version constraints are provided, so any kernel older than the fixed commit is at risk, including the 7.0 release candidates (rc1–rc6) identified in the CPE list.

Risk and Exploitability

The CVSS score of 9.1 reflects a severe vulnerability, yet the EPSS score is less than 1% and the bug is not listed in the CISA KEV catalog, indicating a low probability of exploitation in the wild. The likely attack vector is a network‑based exploit targeting the bridge interface with crafted ICMPv6 neighbour discovery packets that place options beyond the linear packet area. Based on the description, an attacker could trigger the flaw by sending such packets to a bridged host, potentially leading to kernel memory corruption, crashes, or in some scenarios, privilege escalation.

Generated by OpenCVE AI on May 7, 2026 at 00:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel release that contains the patch referenced in the listed git commits.
  • If a kernel upgrade is not immediately possible, configure firewall or bridge filters to reject malformed ICMPv6 neighbour discovery packets or drop such traffic via sysctl settings.
  • Monitor kernel logs for panic or crash messages related to bridge packet handling and install the official patch as soon as it becomes available.

Generated by OpenCVE AI on May 7, 2026 at 00:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 06 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 25 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns from the linear network header.
Title bridge: br_nd_send: linearize skb before parsing ND options
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:36.085Z

Reserved: 2026-03-09T15:48:24.130Z

Link: CVE-2026-31682

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-25T09:16:01.913

Modified: 2026-05-06T21:17:15.287

Link: CVE-2026-31682

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-25T00:00:00Z

Links: CVE-2026-31682 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T00:15:05Z

Weaknesses