Description
In the Linux kernel, the following vulnerability has been resolved:

net: sched: act_csum: validate nested VLAN headers

tcf_csum_act() walks nested VLAN headers directly from skb->data when an
skb still carries in-payload VLAN tags. The current code reads
vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without
first ensuring that the full VLAN header is present in the linear area.

If only part of an inner VLAN header is linearized, accessing
h_vlan_encapsulated_proto reads past the linear area, and the following
skb_pull(VLAN_HLEN) may violate skb invariants.

Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and
pulling each nested VLAN header. If the header still is not fully
available, drop the packet through the existing error path.
Published: 2026-04-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s networking scheduler contains a flaw in the act_csum action where tcf_csum_act walks nested VLAN headers directly from skb->data. The code reads the VLAN encapsulation protocol and pulls a VLAN header length without first ensuring that the complete header resides in the linear part of the socket buffer. If only part of an inner VLAN header is linearized, this out‑of‑bounds read and subsequent skb_pull can corrupt kernel memory or violate skb invariants, leading to a crash or memory corruption. The weakness is identified as CWE-1285, an unsafe read that can be exploited to cause a denial of service.

Affected Systems

The vulnerability applies to the Linux kernel on any system that has not yet incorporated the regression fix. No specific kernel version range is listed in the advisory; affected systems are those using a kernel that remains before the commit adding pskb_may_pull checks for VLAN headers. Administrators should verify whether their running kernel includes the changes referenced in the provided Git commit links.

Risk and Exploitability

The CVSS score is 5.5, indicating a medium severity that can lead to system disruption. The EPSS score is below 1%, suggesting a low probability of exploitation, and the issue is not yet cataloged in CISA's KEV list. Likely attack vectors involve an attacker transmitting specially crafted packets with nested VLAN headers to a vulnerable host's networking stack. While the exploitation scenario requires network-level access or a packet injection path, the impact remains significant because it can permanently crash the host if not patched.

Generated by OpenCVE AI on May 6, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a release that contains the patch adding pskb_may_pull checks for nested VLAN headers.
  • Reload the networking module or reboot the system so the updated kernel symbols take effect.
  • If a kernel update is not immediately feasible, block or drop nested VLAN traffic on the host by disabling VLAN processing on the affected interfaces or removing VLAN tags before packets reach the kernel.

Generated by OpenCVE AI on May 6, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Wed, 06 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Sat, 25 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: sched: act_csum: validate nested VLAN headers tcf_csum_act() walks nested VLAN headers directly from skb->data when an skb still carries in-payload VLAN tags. The current code reads vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without first ensuring that the full VLAN header is present in the linear area. If only part of an inner VLAN header is linearized, accessing h_vlan_encapsulated_proto reads past the linear area, and the following skb_pull(VLAN_HLEN) may violate skb invariants. Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and pulling each nested VLAN header. If the header still is not fully available, drop the packet through the existing error path.
Title net: sched: act_csum: validate nested VLAN headers
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:38.439Z

Reserved: 2026-03-09T15:48:24.130Z

Link: CVE-2026-31684

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-25T09:16:02.163

Modified: 2026-05-06T21:11:34.630

Link: CVE-2026-31684

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-25T00:00:00Z

Links: CVE-2026-31684 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:45:13Z

Weaknesses