{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31407", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.086Z", "datePublished": "2026-04-06T07:38:19.712Z", "dateUpdated": "2026-04-06T07:38:19.712Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-06T07:38:19.712Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: add missing netlink policy validations\n\nHyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.\n\nThese attributes are used by the kernel without any validation.\nExtend the netlink policies accordingly.\n\nQuoting the reporter:\n nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE\n value directly to ct->proto.sctp.state without checking that it is\n within the valid range. [..]\n\n and: ... with exp->dir = 100, the access at\n ct->master->tuplehash[100] reads 5600 bytes past the start of a\n 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by\n UBSAN."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_netlink.c", "net/netfilter/nf_conntrack_proto_sctp.c"], "versions": [{"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73", "lessThan": "0fbae1e74493d5a160a70c51aeba035d8266ea7d", "status": "affected", "versionType": "git"}, {"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73", "lessThan": "f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_netlink.c", "net/netfilter/nf_conntrack_proto_sctp.c"], "versions": [{"version": "2.6.27", "status": "affected"}, {"version": "0", "lessThan": "2.6.27", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.27", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.27", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0fbae1e74493d5a160a70c51aeba035d8266ea7d"}, {"url": "https://git.kernel.org/stable/c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05"}], "title": "netfilter: conntrack: add missing netlink policy validations", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: add missing netlink policy validations\n\nHyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.\n\nThese attributes are used by the kernel without any validation.\nExtend the netlink policies accordingly.\n\nQuoting the reporter:\n nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE\n value directly to ct->proto.sctp.state without checking that it is\n within the valid range. [..]\n\n and: ... with exp->dir = 100, the access at\n ct->master->tuplehash[100] reads 5600 bytes past the start of a\n 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by\n UBSAN."}], "id": "CVE-2026-31407", "lastModified": "2026-04-07T13:20:35.010", "metrics": {}, "published": "2026-04-06T08:16:38.623", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0fbae1e74493d5a160a70c51aeba035d8266ea7d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: netfilter: conntrack: add missing netlink policy validations", "id": "2455331", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455331"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in the Linux kernel's netfilter conntrack subsystem. Missing netlink policy validations allow a local attacker to provide a specially crafted input, leading to an out-of-bounds read. This vulnerability can result in information disclosure from kernel memory or potentially cause a denial of service."], "name": "CVE-2026-31407", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31407\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31407\nhttps://lore.kernel.org/linux-cve-announce/2026040628-CVE-2026-31407-6abd@gregkh/T"], "statement": "Unvalidated SCTP state and expectation direction allowed slab OOB reads. Attributes are consumed from nfnetlink without range checks until this fix. Requires CAP_NET_ADMIN to send the malformed netlink messages.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a258860e01b80e8f554a4ab1a6c95e6042eb8b73,0fbae1e74493d5a160a70c51aeba035d8266ea7d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a258860e01b80e8f554a4ab1a6c95e6042eb8b73,f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.27"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.27)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-07T09:55:12.242418+00:00", "value": {"mitigation_remediation": ["Update the kernel to a release that includes commit c0fbae1e74493\u2026 or f900e1d77ee0\u2026 that introduces the missing policy validation.", "Verify the patch is present by checking the kernel version or running dmesg for the commit message.", "If an update cannot be applied immediately, restrict use of conntrack netlink operations to trusted users and avoid sending custom SCTP state attributes."], "summary": {"action": "Apply patch", "impact": "Kernel out\u2011of\u2011bounds read leading to information disclosure"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds before the patch that adds netlink policy validation are affected. The vulnerability is present in the kernel\u2019s netfilter conntrack code and therefore applies to every distribution that ships an unmodified Linux kernel, including major distros such as Ubuntu, CentOS, Debian, RHEL and others. No specific version list is provided in the advisory, so any kernel older than the commit that introduced the fix is at risk.", "description_and_impact": "An attacker may send crafted netlink messages to the conntrack subsystem that overwrite the SCTP state or access an invalid tuple hash index. The kernel then reads beyond the boundaries of the netfilter connection object, exposing up to several kilobytes of kernel memory. This out\u2011of\u2011bounds read is a classic buffer overread (CWE\u2011125) and can leak sensitive data such as kernel addresses or user credentials.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1\u202f% suggests that exploitation opportunities are expected to be rare. The vulnerability requires the ability to send netlink commands with CAP_NET_ADMIN, so a local attacker who has or can obtain that capability would be able to trigger the fault. The fix is not yet in KEV, and because the flaw is an out\u2011of\u2011bounds read rather than an arbitrary code execution, the impact is limited to information disclosure unless combined with further vulnerabilities."}}}}, "created": "2026-04-06T20:14:55.263626+00:00", "updated": "2026-04-08T19:52:37.317804+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}