{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31531", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.112Z", "datePublished": "2026-04-23T11:12:44.143Z", "dateUpdated": "2026-05-11T22:10:35.906Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:10:35.906Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()\n\nWhen querying a nexthop object via RTM_GETNEXTHOP, the kernel currently\nallocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient for\nsingle nexthops and small Equal-Cost Multi-Path groups, this fixed\nallocation fails for large nexthop groups like 512 nexthops.\n\nThis results in the following warning splat:\n\n WARNING: net/ipv4/nexthop.c:3395 at rtm_get_nexthop+0x176/0x1c0, CPU#20: rep/4608\n [...]\n RIP: 0010:rtm_get_nexthop (net/ipv4/nexthop.c:3395)\n [...]\n Call Trace:\n <TASK>\n rtnetlink_rcv_msg (net/core/rtnetlink.c:6989)\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\n netlink_sendmsg (net/netlink/af_netlink.c:1894)\n ____sys_sendmsg (net/socket.c:721 net/socket.c:736 net/socket.c:2585)\n ___sys_sendmsg (net/socket.c:2641)\n __sys_sendmsg (net/socket.c:2671)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n </TASK>\n\nFix this by allocating the size dynamically using nh_nlmsg_size() and\nusing nlmsg_new(), this is consistent with nexthop_notify() behavior. In\naddition, adjust nh_nlmsg_size_grp() so it calculates the size needed\nbased on flags passed. While at it, also add the size of NHA_FDB for\nnexthop group size calculation as it was missing too.\n\nThis cannot be reproduced via iproute2 as the group size is currently\nlimited and the command fails as follows:\n\naddattr_l ERROR: message exceeded bound of 1048"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/nexthop.c"], "versions": [{"version": "430a049190de3c9e219f43084de9f1122da04570", "lessThan": "615517f3f8d53b0cf41507c7599971e17adfdfa5", "status": "affected", "versionType": "git"}, {"version": "430a049190de3c9e219f43084de9f1122da04570", "lessThan": "40bd39e383a0478fd5c221f393df05fd9d70cfbc", "status": "affected", "versionType": "git"}, {"version": "430a049190de3c9e219f43084de9f1122da04570", "lessThan": "635038fe19db391117e66b46bdc2b6e447ac801d", "status": "affected", "versionType": "git"}, {"version": "430a049190de3c9e219f43084de9f1122da04570", "lessThan": "14cf0cd35361f4e94824bf8a42f72713d7702a73", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/nexthop.c"], "versions": [{"version": "5.3", "status": "affected"}, {"version": "0", "lessThan": "5.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/615517f3f8d53b0cf41507c7599971e17adfdfa5"}, {"url": "https://git.kernel.org/stable/c/40bd39e383a0478fd5c221f393df05fd9d70cfbc"}, {"url": "https://git.kernel.org/stable/c/635038fe19db391117e66b46bdc2b6e447ac801d"}, {"url": "https://git.kernel.org/stable/c/14cf0cd35361f4e94824bf8a42f72713d7702a73"}], "title": "ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A776C96C-AD0E-490C-AE7A-9FB2F402EB0D", "versionEndExcluding": "6.12.83", "versionStartIncluding": "5.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()\n\nWhen querying a nexthop object via RTM_GETNEXTHOP, the kernel currently\nallocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient for\nsingle nexthops and small Equal-Cost Multi-Path groups, this fixed\nallocation fails for large nexthop groups like 512 nexthops.\n\nThis results in the following warning splat:\n\n WARNING: net/ipv4/nexthop.c:3395 at rtm_get_nexthop+0x176/0x1c0, CPU#20: rep/4608\n [...]\n RIP: 0010:rtm_get_nexthop (net/ipv4/nexthop.c:3395)\n [...]\n Call Trace:\n <TASK>\n rtnetlink_rcv_msg (net/core/rtnetlink.c:6989)\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\n netlink_sendmsg (net/netlink/af_netlink.c:1894)\n ____sys_sendmsg (net/socket.c:721 net/socket.c:736 net/socket.c:2585)\n ___sys_sendmsg (net/socket.c:2641)\n __sys_sendmsg (net/socket.c:2671)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n </TASK>\n\nFix this by allocating the size dynamically using nh_nlmsg_size() and\nusing nlmsg_new(), this is consistent with nexthop_notify() behavior. In\naddition, adjust nh_nlmsg_size_grp() so it calculates the size needed\nbased on flags passed. While at it, also add the size of NHA_FDB for\nnexthop group size calculation as it was missing too.\n\nThis cannot be reproduced via iproute2 as the group size is currently\nlimited and the command fails as follows:\n\naddattr_l ERROR: message exceeded bound of 1048"}], "id": "CVE-2026-31531", "lastModified": "2026-04-28T17:38:49.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-23T12:17:01.820", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/14cf0cd35361f4e94824bf8a42f72713d7702a73"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/40bd39e383a0478fd5c221f393df05fd9d70cfbc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/615517f3f8d53b0cf41507c7599971e17adfdfa5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/635038fe19db391117e66b46bdc2b6e447ac801d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()", "id": "2461108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461108"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-131", "details": ["A flaw was found in the Linux kernel. A local user can trigger a denial of service by querying a nexthop object with a large number of nexthop groups. This occurs because the kernel uses a fixed-size buffer that cannot accommodate the large response, leading to a kernel warning and potential system instability."], "name": "CVE-2026-31531", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31531\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31531\nhttps://lore.kernel.org/linux-cve-announce/2026042347-CVE-2026-31531-6f6d@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[430a049190de3c9e219f43084de9f1122da04570,615517f3f8d53b0cf41507c7599971e17adfdfa5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[430a049190de3c9e219f43084de9f1122da04570,40bd39e383a0478fd5c221f393df05fd9d70cfbc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[430a049190de3c9e219f43084de9f1122da04570,635038fe19db391117e66b46bdc2b6e447ac801d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[430a049190de3c9e219f43084de9f1122da04570,14cf0cd35361f4e94824bf8a42f72713d7702a73)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.3)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.83,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T23:50:57.971777+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the patch that moves the skb allocation to dynamic sizing using nh_nlmsg_size() and nlmsg_new().", "If a kernel upgrade cannot be performed immediately, apply the upstream patch manually to the kernel source and rebuild the kernel.", "Restrict access to large RTM_GETNEXTHOP queries by ensuring only CAP_NET_ADMIN or root processes can create large nexthop groups; drop privileged users or limit netlink usage."], "summary": {"action": "Patch Kernel", "impact": "Denial of Service via large nexthop groups"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that have not yet incorporated the patch that relocates the skb allocation to dynamic sizing via nh_nlmsg_size() and nlmsg_new(). The affected environment is the Linux kernel itself; no specific micro\u2011kernel or distribution is listed by the CNA. The vulnerability exists in the default kernel build that uses the fixed NLMSG_GOODSIZE allocation scheme.", "description_and_impact": "The Linux kernel function rtm_get_nexthop allocates a netlink socket buffer with a fixed size suitable only for small nexthop groups. When a large nexthop group, such as 512 entries, is requested, the allocation overflows leading to a kernel warning splat. This is a buffer overrun weakness classified as CWE\u2011131. The impact is a denial of service where a crafted request could cause unstable behavior. Based on the description, it may lead to instability, though the CVE does not explicitly state a crash or memory corruption.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, while the EPSS score of < 1% shows it is unlikely to be actively exploited today. The vulnerability is not yet listed in CISA KEV, and there is no documented exploitation vector. Based on the kernel\u2019s netlink interface, an attacker would need the ability to send a large RTM_GETNEXTHOP request, which typically requires CAP_NET_ADMIN or root privileges, so the risk is moderate on privileged systems and low on non\u2011privileged hosts. The description notes a warning splat but does not indicate a crash, so the exact impact on stability is inferred."}}}}, "created": "2026-04-27T23:45:15.683764+00:00", "updated": "2026-04-29T00:00:13.822518+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}