Zero Day MonitorZDM

← Back to list

—

CVE-2026-31407PATCHED

Linux · Linux

netfilter: conntrack: add missing netlink policy validations

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.

Affected Products

Vendor	Product	Versions
Linux	Linux	a258860e01b80e8f554a4ab1a6c95e6042eb8b73, a258860e01b80e8f554a4ab1a6c95e6042eb8b73, 2.6.27

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
linux	linux	mitre_affected	90%

References

Related News (2 articles)

Tier C

VulDB2h ago

CVE-2026-31407 | Linux Kernel up to 6.19.9/7.0-rc4 netfilter nlattr_to_sctp out-of-bounds

→ No new info (linked only)

Tier C

Linux Kernel CVEs3h ago

CVE-2026-31407: netfilter: conntrack: add missing netlink policy validations

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

0fbae1e74493d5a160a70c51aeba035d8266ea7df900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba0506.19.107.0-rc5

PublishedApr 6, 2026

Last enriched2h agov2

Trending Score31

Source articles2

Independent2

Info Completeness7/14

Missing: cvss, epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-23444EXP

wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure

NONECVE-2026-31410EXP

ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION

NONECVE-2026-23472EXP

serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN

CRITICALCVE-2026-23442

ipv6: add NULL checks for idev in SRv6 paths

CRITICALCVE-2026-23473

io_uring/poll: fix multishot recv missing EOF on wakeup race

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 6, 2026

Discovered by ZDM

Apr 6, 2026

Updated: affectedVersions

Apr 6, 2026

Patch Available

Apr 6, 2026

Version History

v2

Last enriched 2h ago

v2Tier C2h ago

Updated description with critical severity, affected versions, and clarified exploit availability.

affectedVersions

via VulDB

v13h ago

Initial creation