Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: ip6t_eui64: reject invalid MAC header for all packets

`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
and compares it with the low 64 bits of the IPv6 source address.

The existing guard only rejects an invalid MAC header when
`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
can still reach `eth_hdr(skb)` even when the MAC header is not valid.

Fix this by removing the `par->fragoff != 0` condition so that packets
with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
Published: 2026-04-25
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the netfilter ip6t_eui64 target allows kernel code to read an Ethernet header that may be invalid for packets that are not fragmented (par->fragoff == 0). The omission of a guard that rejects such headers lets the kernel access eth_hdr(skb) even when the MAC header is malformed, which can lead to memory corruption and kernel crashes.

Affected Systems

All Linux kernel implementations that include the ip6t_eui64 module and have not applied the patch address this vulnerability. No specific version numbers are enumerated, so any distribution running the vulnerable kernel code is potentially affected.

Risk and Exploitability

The vulnerability’s CVSS score indicates critical severity. Although the EPSS score is less than 1%, the existence of the flaw means an attacker can craft and send malicious IPv6 packets that traverse the ip6t_eui64 chain, potentially causing kernel crashes or denial of service. The flaw is not yet listed in the CISA KEV catalog, suggesting no known public exploits, but the high severity and the ability to trigger it over the network make it a high risk to systems exposed to untrusted IPv6 traffic.

Generated by OpenCVE AI on May 6, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to the latest stable release that includes the patch for CVE-2026-31685.
  • Disable the ip6t_eui64 target from all chains that process traffic from untrusted networks.
  • Configure the host firewall to drop all incoming IPv6 packets from external networks until the patch is applied.

Generated by OpenCVE AI on May 6, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Wed, 06 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1287
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Sat, 25 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address. The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid. Fix this by removing the `par->fragoff != 0` condition so that packets with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
Title netfilter: ip6t_eui64: reject invalid MAC header for all packets
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:39.681Z

Reserved: 2026-03-09T15:48:24.131Z

Link: CVE-2026-31685

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-25T09:16:02.273

Modified: 2026-05-06T21:08:10.723

Link: CVE-2026-31685

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-25T00:00:00Z

Links: CVE-2026-31685 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:45:13Z

Weaknesses