Description
In the Linux kernel, the following vulnerability has been resolved:

bridge: br_nd_send: validate ND option lengths

br_nd_send() walks ND options according to option-provided lengths.
A malformed option can make the parser advance beyond the computed
option span or use a too-short source LLADDR option payload.

Validate option lengths against the remaining NS option area before
advancing, and only read source LLADDR when the option is large enough
for an Ethernet address.
Published: 2026-05-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malformed Neighbor Discovery (ND) option can cause the Linux kernel bridge code to read beyond the intended option data or to treat an incomplete source link‑layer address as a full Ethernet address. This out‑of‑bounds read or write corrupts kernel memory and allows an attacker who can inject custom Ethernet frames over a bridged interface to execute arbitrary code with kernel privileges.

Affected Systems

The flaw exists in the generic bridge driver that ships with all Linux kernel builds. Kernels that do not contain the patch introduced in the commits referenced in the advisory are vulnerable. Distributions still shipping older kernel versions remain exposed until they upgrade to a kernel that includes the validation fix.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity, reflecting the memory corruption that can lead to elevated privileges but is not guaranteed for arbitrary code execution without additional conditions. The EPSS score of <1% indicates a low probability of exploitation observed in the wild. The vulnerability remains unlisted in the CISA KEV catalog. Exploitation would require an attacker to inject specially crafted Neighbor Discovery options onto a bridged Ethernet interface; if successful, the kernel could read or write beyond the intended bounds, potentially escalating privileges. The lack of a KEV listing and low EPSS suggest that active exploitation is not widespread, but administrators should still prioritize applying the kernel patch.

Generated by OpenCVE AI on May 7, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that contains the br_nd_send patch and reboot the network stack to load the new code.
  • If an immediate kernel upgrade is not possible, temporarily block or limit traffic on the affected bridged interfaces, or isolate the segment with a firewall to prevent malformed ND frames from reaching the kernel.
  • Enable detailed logging for ND options and monitor system logs or kernel dumps for unusually long ND options or crashes that may indicate exploitation attempts.

Generated by OpenCVE AI on May 7, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Thu, 07 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: validate ND option lengths br_nd_send() walks ND options according to option-provided lengths. A malformed option can make the parser advance beyond the computed option span or use a too-short source LLADDR option payload. Validate option lengths against the remaining NS option area before advancing, and only read source LLADDR when the option is large enough for an Ethernet address.
Title bridge: br_nd_send: validate ND option lengths
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:15:07.575Z

Reserved: 2026-03-09T15:48:24.139Z

Link: CVE-2026-31752

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:38.090

Modified: 2026-05-07T19:08:55.830

Link: CVE-2026-31752

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31752 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T20:45:22Z

Weaknesses