CVE-2026-31752 - Vulnerability Details

- bridge: br_nd_send: validate ND option lengths

Description

In the Linux kernel, the following vulnerability has been resolved:

bridge: br_nd_send: validate ND option lengths

br_nd_send() walks ND options according to option-provided lengths.
A malformed option can make the parser advance beyond the computed
option span or use a too-short source LLADDR option payload.

Validate option lengths against the remaining NS option area before
advancing, and only read source LLADDR when the option is large enough
for an Ethernet address.

Published: 2026-05-01

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A malformed Neighbor Discovery (ND) option can cause the Linux kernel bridge code to read beyond the intended option data or to treat an incomplete source link‑layer address as a full Ethernet address. This out‑of‑bounds read or write corrupts kernel memory and allows an attacker who can inject custom Ethernet frames over a bridged interface to execute arbitrary code with kernel privileges.

Affected Systems

The flaw exists in the generic bridge driver that ships with all Linux kernel builds. Kernels that do not contain the patch introduced in the commits referenced in the advisory are vulnerable. Distributions still shipping older kernel versions remain exposed until they upgrade to a kernel that includes the validation fix.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, so the exploitation probability is uncertain. However, the flaw permits memory corruption with merely network access to a bridged interface, and it can lead to remote code execution. The CVSS score of 7.0 indicates high severity, underscoring the potential impact on exposed hosts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ed842faeb2bd49256f00485402f3113205f91d30`	affected	< 82a42eceec7c6bdb0e0da94c0542a173b7ea57f2
`ed842faeb2bd49256f00485402f3113205f91d30`	affected	< 259466f76f5a2148aff11134e68f4b4c6d52725b
`ed842faeb2bd49256f00485402f3113205f91d30`	affected	< ee02d8991fd7bd86ed6ebd0deb4aab53feb0e43a
`ed842faeb2bd49256f00485402f3113205f91d30`	affected	< e0bfd6d4dc77ab345b6c65eef0cfe9b2f69085aa
`ed842faeb2bd49256f00485402f3113205f91d30`	affected	< c49b9256bbacb6a135654aebd12e4c0e87166b7c
`ed842faeb2bd49256f00485402f3113205f91d30`	affected	< 837392a38445729c22e03d3abcf33f07763efd85
`ed842faeb2bd49256f00485402f3113205f91d30`	affected	< e71303a9190496136e240c4f2872b7b0b16027a7
`ed842faeb2bd49256f00485402f3113205f91d30`	affected	< 850837965af15707fd3142c1cf3c5bfaf022299b

Linux

affected

Version	Status	Constraints
`4.15`	affected	—
`0`	unaffected	< 4.15
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[ed842faeb2bd49256f00485402f3113205f91d30,82a42eceec7c6bdb0e0da94c0542a173b7ea57f2)`	affected	code_commit	—
`[ed842faeb2bd49256f00485402f3113205f91d30,259466f76f5a2148aff11134e68f4b4c6d52725b)`	affected	code_commit	—
`[ed842faeb2bd49256f00485402f3113205f91d30,ee02d8991fd7bd86ed6ebd0deb4aab53feb0e43a)`	affected	code_commit	—
`[ed842faeb2bd49256f00485402f3113205f91d30,e0bfd6d4dc77ab345b6c65eef0cfe9b2f69085aa)`	affected	code_commit	—
`[ed842faeb2bd49256f00485402f3113205f91d30,c49b9256bbacb6a135654aebd12e4c0e87166b7c)`	affected	code_commit	—
`[ed842faeb2bd49256f00485402f3113205f91d30,837392a38445729c22e03d3abcf33f07763efd85)`	affected	code_commit	—
`[ed842faeb2bd49256f00485402f3113205f91d30,e71303a9190496136e240c4f2872b7b0b16027a7)`	affected	code_commit	—
`[ed842faeb2bd49256f00485402f3113205f91d30,850837965af15707fd3142c1cf3c5bfaf022299b)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.15`	affected	generic	—
`[0,4.15)`	unaffected	semver	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.168,6.2.0)`	unaffected	semver	—
`[6.6.134,6.7.0)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a Linux kernel update that contains the br_nd_send patch and reboot the network stack to load the new code.
If an immediate kernel upgrade is not possible, temporarily block or limit traffic on the affected bridged interfaces, or isolate the segment with a firewall to prevent malformed ND frames from reaching the kernel.
Enable detailed logging for ND options and monitor system logs or kernel dumps for unusually long ND options or crashes that may indicate exploitation attempts.

Generated by OpenCVE AI on May 2, 2026 at 07:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/259466f76f5a2148aff11134e68f4b4c6d52725b
https://git.kernel.org/stable/c/82a42eceec7c6bdb0e0da94c0542a173b7ea57f2
https://git.kernel.org/stable/c/837392a38445729c22e03d3abcf33f07763efd85
https://git.kernel.org/stable/c/850837965af15707fd3142c1cf3c5bfaf022299b
https://git.kernel.org/stable/c/c49b9256bbacb6a135654aebd12e4c0e87166b7c
https://git.kernel.org/stable/c/e0bfd6d4dc77ab345b6c65eef0cfe9b2f69085aa
https://git.kernel.org/stable/c/e71303a9190496136e240c4f2872b7b0b16027a7
https://git.kernel.org/stable/c/ee02d8991fd7bd86ed6ebd0deb4aab53feb0e43a
https://lore.kernel.org/linux-cve-announce/2026050143-CVE-2026-31752-5596@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31752
https://www.cve.org/CVERecord?id=CVE-2026-31752

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-805
References		https://lore.kernel.org/linux-cve-announce/2026050143-CVE-2026-31752-5596@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31752 https://www.cve.org/CVERecord?id=CVE-2026-31752
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: validate ND option lengths br_nd_send() walks ND options according to option-provided lengths. A malformed option can make the parser advance beyond the computed option span or use a too-short source LLADDR option payload. Validate option lengths against the remaining NS option area before advancing, and only read source LLADDR when the option is large enough for an Ethernet address.
Title		bridge: br_nd_send: validate ND option lengths
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/259466f76f5a2148aff11134e68f4b4c6d52725b https://git.kernel.org/stable/c/82a42eceec7c6bdb0e0da94c0542a173b7ea57f2 https://git.kernel.org/stable/c/837392a38445729c22e03d3abcf33f07763efd85 https://git.kernel.org/stable/c/850837965af15707fd3142c1cf3c5bfaf022299b https://git.kernel.org/stable/c/c49b9256bbacb6a135654aebd12e4c0e87166b7c https://git.kernel.org/stable/c/e0bfd6d4dc77ab345b6c65eef0cfe9b2f69085aa https://git.kernel.org/stable/c/e71303a9190496136e240c4f2872b7b0b16027a7 https://git.kernel.org/stable/c/ee02d8991fd7bd86ed6ebd0deb4aab53feb0e43a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:14:44.298Z

Updated: 2026-05-01T14:14:44.298Z

Reserved: 2026-03-09T15:48:24.139Z

Link: CVE-2026-31752

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:38.090

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31752

Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31752 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T07:30:36Z

Weaknesses

CWE-805

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object