{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31411", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.087Z", "datePublished": "2026-04-08T13:06:17.800Z", "dateUpdated": "2026-05-11T22:08:11.432Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:08:11.432Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: fix crash due to unvalidated vcc pointer in sigd_send()\n\nReproducer available at [1].\n\nThe ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc\npointer from msg->vcc and uses it directly without any validation. This\npointer comes from userspace via sendmsg() and can be arbitrarily forged:\n\n int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);\n ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon\n struct msghdr msg = { .msg_iov = &iov, ... };\n *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer\n sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef\n\nIn normal operation, the kernel sends the vcc pointer to the signaling\ndaemon via sigd_enq() when processing operations like connect(), bind(),\nor listen(). The daemon is expected to return the same pointer when\nresponding. However, a malicious daemon can send arbitrary pointer values.\n\nFix this by introducing find_get_vcc() which validates the pointer by\nsearching through vcc_hash (similar to how sigd_close() iterates over\nall VCCs), and acquires a reference via sock_hold() if found.\n\nSince struct atm_vcc embeds struct sock as its first member, they share\nthe same lifetime. Therefore using sock_hold/sock_put is sufficient to\nkeep the vcc alive while it is being used.\n\nNote that there may be a race with sigd_close() which could mark the vcc\nwith various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.\nHowever, sock_hold() guarantees the memory remains valid, so this race\nonly affects the logical state, not memory safety.\n\n[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/atm/signaling.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "c96549d07dfdd51aadf0722cfb40711574424840", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "1c8bda3df028d5e54134077dcd09f46ca8cfceb5", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "e3f80666c2739296c3b69a127300455c43aa1067", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "21c303fec138c002f90ed33bce60e807d53072bb", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "69d3f9ee5489e6e8b66defcfa226e91d82393297", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "440c9a5fc477a8ee259d8bf669531250b8398651", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "ae88a5d2f29b69819dc7b04086734439d074a643", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/atm/signaling.c"], "versions": [{"version": "2.6.12", "status": "affected"}, {"version": "0", "lessThan": "2.6.12", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.252", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.202", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.165", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.128", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.14", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.4", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "5.10.252"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "5.15.202"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.1.165"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.6.128"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.18.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.19.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c96549d07dfdd51aadf0722cfb40711574424840"}, {"url": "https://git.kernel.org/stable/c/1c8bda3df028d5e54134077dcd09f46ca8cfceb5"}, {"url": "https://git.kernel.org/stable/c/3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2"}, {"url": "https://git.kernel.org/stable/c/e3f80666c2739296c3b69a127300455c43aa1067"}, {"url": "https://git.kernel.org/stable/c/21c303fec138c002f90ed33bce60e807d53072bb"}, {"url": "https://git.kernel.org/stable/c/69d3f9ee5489e6e8b66defcfa226e91d82393297"}, {"url": "https://git.kernel.org/stable/c/440c9a5fc477a8ee259d8bf669531250b8398651"}, {"url": "https://git.kernel.org/stable/c/ae88a5d2f29b69819dc7b04086734439d074a643"}], "title": "net: atm: fix crash due to unvalidated vcc pointer in sigd_send()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: fix crash due to unvalidated vcc pointer in sigd_send()\n\nReproducer available at [1].\n\nThe ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc\npointer from msg->vcc and uses it directly without any validation. This\npointer comes from userspace via sendmsg() and can be arbitrarily forged:\n\n int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);\n ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon\n struct msghdr msg = { .msg_iov = &iov, ... };\n *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer\n sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef\n\nIn normal operation, the kernel sends the vcc pointer to the signaling\ndaemon via sigd_enq() when processing operations like connect(), bind(),\nor listen(). The daemon is expected to return the same pointer when\nresponding. However, a malicious daemon can send arbitrary pointer values.\n\nFix this by introducing find_get_vcc() which validates the pointer by\nsearching through vcc_hash (similar to how sigd_close() iterates over\nall VCCs), and acquires a reference via sock_hold() if found.\n\nSince struct atm_vcc embeds struct sock as its first member, they share\nthe same lifetime. Therefore using sock_hold/sock_put is sufficient to\nkeep the vcc alive while it is being used.\n\nNote that there may be a race with sigd_close() which could mark the vcc\nwith various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.\nHowever, sock_hold() guarantees the memory remains valid, so this race\nonly affects the logical state, not memory safety.\n\n[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3"}], "id": "CVE-2026-31411", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T14:16:27.977", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1c8bda3df028d5e54134077dcd09f46ca8cfceb5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/21c303fec138c002f90ed33bce60e807d53072bb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/440c9a5fc477a8ee259d8bf669531250b8398651"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/69d3f9ee5489e6e8b66defcfa226e91d82393297"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ae88a5d2f29b69819dc7b04086734439d074a643"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c96549d07dfdd51aadf0722cfb40711574424840"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e3f80666c2739296c3b69a127300455c43aa1067"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net: atm: fix crash due to unvalidated vcc pointer in sigd_send()", "id": "2456521", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456521"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-822", "details": ["A flaw was found in the Linux kernel's Asynchronous Transfer Mode (ATM) networking component. A local attacker, by acting as a malicious signaling daemon, could send a specially crafted message containing an unvalidated pointer. This unvalidated pointer would be directly used by the kernel, leading to the dereference of an arbitrary memory address. The consequence is a system crash, resulting in a Denial of Service (DoS)."], "name": "CVE-2026-31411", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31411\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31411\nhttps://lore.kernel.org/linux-cve-announce/2026040820-CVE-2026-31411-7ef9@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,c96549d07dfdd51aadf0722cfb40711574424840)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,1c8bda3df028d5e54134077dcd09f46ca8cfceb5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,e3f80666c2739296c3b69a127300455c43aa1067)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,21c303fec138c002f90ed33bce60e807d53072bb)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,69d3f9ee5489e6e8b66defcfa226e91d82393297)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,440c9a5fc477a8ee259d8bf669531250b8398651)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ae88a5d2f29b69819dc7b04086734439d074a643)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.12"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.12)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.252,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.202,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.165,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.128,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.75,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.14,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.4,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-09T01:21:25.387331+00:00", "value": {"mitigation_remediation": ["Apply a Linux kernel update that includes the fix for CVE-2026-31411"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service (kernel crash)"}, "threat_synthesis": {"affected_systems": "The flaw exists in the Linux kernel's ATM networking stack, affecting all kernel releases prior to the patch that introduced find_get_vcc. Any environment running the Linux kernel and capable of creating an AF_ATMSVC socket can be impacted; the attacker must execute code with sufficient privileges to obtain the ATMSIGD_CTRL ioctl. Versions prior to the commit c8bda3\u2026 are vulnerable, and the removal is included in subsequent kernel releases.", "description_and_impact": "The vulnerability allows an attacker with privileged access to send a crafted message over an AF_ATMSVC socket. The kernel improperly dereferences the vcc pointer received from user space without validation, causing a kernel fault and potentially crashing the system. This results in a denial of service on the affected machine.", "risk_and_exploitability": "The CVSS score of 7.0 indicates moderate severity. No exploit evidence is present in the available references, and the vulnerability is not listed in CISA's KEV catalog. The risk is significant in high\u2011availability or critical systems because an attacker could forcibly crash the kernel, causing service disruption. While the exploit requires privileged access or a malicious signaling daemon, the lack of input validation makes it easy to trigger once the attack vector is available. Therefore, applying the kernel patch is the recommended response."}}}}, "created": "2026-04-08T19:27:03.263677+00:00", "updated": "2026-04-09T08:28:06.986014+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}