{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31407", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.086Z", "datePublished": "2026-04-06T07:38:19.712Z", "dateUpdated": "2026-05-11T22:08:06.853Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:08:06.853Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: add missing netlink policy validations\n\nHyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.\n\nThese attributes are used by the kernel without any validation.\nExtend the netlink policies accordingly.\n\nQuoting the reporter:\n nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE\n value directly to ct->proto.sctp.state without checking that it is\n within the valid range. [..]\n\n and: ... with exp->dir = 100, the access at\n ct->master->tuplehash[100] reads 5600 bytes past the start of a\n 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by\n UBSAN."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_netlink.c", "net/netfilter/nf_conntrack_proto_sctp.c"], "versions": [{"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73", "lessThan": "c5e918390002edf0cff80a0e7ce1f86f16a9507c", "status": "affected", "versionType": "git"}, {"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73", "lessThan": "9174d28f3f15d8c4962f5980c0be167633880443", "status": "affected", "versionType": "git"}, {"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73", "lessThan": "67c53c1978cef3c504237275e39c857e2f6af56e", "status": "affected", "versionType": "git"}, {"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73", "lessThan": "0fbae1e74493d5a160a70c51aeba035d8266ea7d", "status": "affected", "versionType": "git"}, {"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73", "lessThan": "f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_netlink.c", "net/netfilter/nf_conntrack_proto_sctp.c"], "versions": [{"version": "2.6.27", "status": "affected"}, {"version": "0", "lessThan": "2.6.27", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.27", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.27", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.27", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.27", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.27", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c5e918390002edf0cff80a0e7ce1f86f16a9507c"}, {"url": "https://git.kernel.org/stable/c/9174d28f3f15d8c4962f5980c0be167633880443"}, {"url": "https://git.kernel.org/stable/c/67c53c1978cef3c504237275e39c857e2f6af56e"}, {"url": "https://git.kernel.org/stable/c/0fbae1e74493d5a160a70c51aeba035d8266ea7d"}, {"url": "https://git.kernel.org/stable/c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05"}], "title": "netfilter: conntrack: add missing netlink policy validations", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: add missing netlink policy validations\n\nHyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.\n\nThese attributes are used by the kernel without any validation.\nExtend the netlink policies accordingly.\n\nQuoting the reporter:\n nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE\n value directly to ct->proto.sctp.state without checking that it is\n within the valid range. [..]\n\n and: ... with exp->dir = 100, the access at\n ct->master->tuplehash[100] reads 5600 bytes past the start of a\n 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by\n UBSAN."}], "id": "CVE-2026-31407", "lastModified": "2026-04-27T14:16:36.813", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-06T08:16:38.623", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0fbae1e74493d5a160a70c51aeba035d8266ea7d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/67c53c1978cef3c504237275e39c857e2f6af56e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9174d28f3f15d8c4962f5980c0be167633880443"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c5e918390002edf0cff80a0e7ce1f86f16a9507c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: netfilter: conntrack: add missing netlink policy validations", "id": "2455331", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455331"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in the Linux kernel's netfilter conntrack subsystem. Missing netlink policy validations allow a local attacker to provide a specially crafted input, leading to an out-of-bounds read. This vulnerability can result in information disclosure from kernel memory or potentially cause a denial of service."], "name": "CVE-2026-31407", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31407\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31407\nhttps://lore.kernel.org/linux-cve-announce/2026040628-CVE-2026-31407-6abd@gregkh/T"], "statement": "Unvalidated SCTP state and expectation direction allowed slab OOB reads. Attributes are consumed from nfnetlink without range checks until this fix. Requires CAP_NET_ADMIN to send the malformed netlink messages.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a258860e01b80e8f554a4ab1a6c95e6042eb8b73,0fbae1e74493d5a160a70c51aeba035d8266ea7d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a258860e01b80e8f554a4ab1a6c95e6042eb8b73,f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.27"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.27)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T21:44:06.817457+00:00", "value": {"mitigation_remediation": ["Upgrade the kernel to a release that includes commit c0fbae1e74493\u2026 or f900e1d77ee0\u2026 implementing the missing policy validation", "If an immediate kernel upgrade is not possible, restrict or remove CAP_NET_ADMIN privileges for untrusted users and, if supported, disable the conntrack netlink interface to prevent sending crafted messages", "Subscribe to the distribution's security advisories and apply future kernel updates that include the fix as they become available"], "summary": {"action": "Apply patch", "impact": "Kernel out\u2011of\u2011bounds read leading to information disclosure"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that have not incorporated the patch commits adding netlink policy validation are affected. This includes any distribution running an unmodified Linux kernel built before the relevant commit. No specific version list is provided, so any kernel older than the commit is at risk.", "description_and_impact": "In the Linux kernel, missing netlink policy checks in the conntrack subsystem allow a crafted netlink message to set the SCTP state value or an invalid tuple hash index directly. The kernel then performs an out\u2011of\u2011bounds read on the nf_conn object, exposing portions of kernel memory. The flaw is a classical buffer overread (CWE\u2011125) and can leak kernel addresses, user credentials, or other sensitive data, but does not provide arbitrary code execution. The description indicates that the read occurs when the kernel processes user\u2011supplied attributes without validation.", "risk_and_exploitability": "The CVSS score of 7.1 denotes high severity, and the EPSS score of less than 1\u202f% suggests exploitation opportunities are rare. It is inferred that an attacker must be able to send netlink commands with CAP_NET_ADMIN or otherwise gain privileged local access to trigger the fault. The flaw is listed outside the CISA KEV catalog and, being an out\u2011of\u2011bounds read, generally leads to information disclosure unless chained to other weaknesses."}}}}, "created": "2026-04-06T20:14:55.263626+00:00", "updated": "2026-04-28T21:45:26.153013+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}