Home

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.

PUBLISHED Reserved 2026-03-09 | Published 2026-04-06 | Updated 2026-05-11 | Assigner Linux




HIGH: 7.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Product status

Default status
unaffected

a258860e01b80e8f554a4ab1a6c95e6042eb8b73 (git) before c5e918390002edf0cff80a0e7ce1f86f16a9507c
affected

a258860e01b80e8f554a4ab1a6c95e6042eb8b73 (git) before 9174d28f3f15d8c4962f5980c0be167633880443
affected

a258860e01b80e8f554a4ab1a6c95e6042eb8b73 (git) before 67c53c1978cef3c504237275e39c857e2f6af56e
affected

a258860e01b80e8f554a4ab1a6c95e6042eb8b73 (git) before 0fbae1e74493d5a160a70c51aeba035d8266ea7d
affected

a258860e01b80e8f554a4ab1a6c95e6042eb8b73 (git) before f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05
affected

Default status
affected

2.6.27
affected

Any version before 2.6.27
unaffected

6.6.136 (semver)
unaffected

6.12.83 (semver)
unaffected

6.18.24 (semver)
unaffected

6.19.10 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/c5e918390002edf0cff80a0e7ce1f86f16a9507c

git.kernel.org/...c/9174d28f3f15d8c4962f5980c0be167633880443

git.kernel.org/...c/67c53c1978cef3c504237275e39c857e2f6af56e

git.kernel.org/...c/0fbae1e74493d5a160a70c51aeba035d8266ea7d

git.kernel.org/...c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05

cve.org (CVE-2026-31407)

nvd.nist.gov (CVE-2026-31407)

Download JSON