Home

Description

In the Linux kernel, the following vulnerability has been resolved: udp: Fix wildcard bind conflict check when using hash2 When binding a udp_sock to a local address and port, UDP uses two hashes (udptable->hash and udptable->hash2) for collision detection. The current code switches to "hash2" when hslot->count > 10. "hash2" is keyed by local address and local port. "hash" is keyed by local port only. The issue can be shown in the following bind sequence (pseudo code): bind(fd1, "[fd00::1]:8888") bind(fd2, "[fd00::2]:8888") bind(fd3, "[fd00::3]:8888") bind(fd4, "[fd00::4]:8888") bind(fd5, "[fd00::5]:8888") bind(fd6, "[fd00::6]:8888") bind(fd7, "[fd00::7]:8888") bind(fd8, "[fd00::8]:8888") bind(fd9, "[fd00::9]:8888") bind(fd10, "[fd00::10]:8888") /* Correctly return -EADDRINUSE because "hash" is used * instead of "hash2". udp_lib_lport_inuse() detects the * conflict. */ bind(fail_fd, "[::]:8888") /* After one more socket is bound to "[fd00::11]:8888", * hslot->count exceeds 10 and "hash2" is used instead. */ bind(fd11, "[fd00::11]:8888") bind(fail_fd, "[::]:8888") /* succeeds unexpectedly */ The same issue applies to the IPv4 wildcard address "0.0.0.0" and the IPv4-mapped wildcard address "::ffff:0.0.0.0". For example, if there are existing sockets bound to "192.168.1.[1-11]:8888", then binding "0.0.0.0:8888" or "[::ffff:0.0.0.0]:8888" can also miss the conflict when hslot->count > 10. TCP inet_csk_get_port() already has the correct check in inet_use_bhash2_on_bind(). Rename it to inet_use_hash2_on_bind() and move it to inet_hashtables.h so udp.c can reuse it in this fix.

PUBLISHED Reserved 2026-03-09 | Published 2026-04-22 | Updated 2026-05-11 | Assigner Linux

Product status

Default status
unaffected

30fff9231fad757c061285e347b33c5149c2c2e4 (git) before d6ace0dbcbb7fd285738bb87b42b71b01858c952
affected

30fff9231fad757c061285e347b33c5149c2c2e4 (git) before 2297e38114316b26ae02f2d205c49b5511c5ed55
affected

30fff9231fad757c061285e347b33c5149c2c2e4 (git) before f1bed05a832ae79be5f7a105da56810eaa59a5f1
affected

30fff9231fad757c061285e347b33c5149c2c2e4 (git) before 18d84c45def3671d5c89fbdd5d4ab8a3217fe4b4
affected

30fff9231fad757c061285e347b33c5149c2c2e4 (git) before 0a360f7f73a06ac88f18917055fbcc79694252d7
affected

30fff9231fad757c061285e347b33c5149c2c2e4 (git) before e537dd15d0d4ad989d56a1021290f0c674dd8b28
affected

Default status
affected

2.6.33
affected

Any version before 2.6.33
unaffected

6.1.168 (semver)
unaffected

6.6.131 (semver)
unaffected

6.12.80 (semver)
unaffected

6.18.21 (semver)
unaffected

6.19.11 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/d6ace0dbcbb7fd285738bb87b42b71b01858c952

git.kernel.org/...c/2297e38114316b26ae02f2d205c49b5511c5ed55

git.kernel.org/...c/f1bed05a832ae79be5f7a105da56810eaa59a5f1

git.kernel.org/...c/18d84c45def3671d5c89fbdd5d4ab8a3217fe4b4

git.kernel.org/...c/0a360f7f73a06ac88f18917055fbcc79694252d7

git.kernel.org/...c/e537dd15d0d4ad989d56a1021290f0c674dd8b28

cve.org (CVE-2026-31503)

nvd.nist.gov (CVE-2026-31503)

Download JSON