CVE-2026-31407

netfilter: conntrack: add missing netlink policy validations

Assigner: Linux
Reserved: 09.03.2026 Published: 06.04.2026 Updated: 06.04.2026

In the Linux kernel, the following vulnerability has been resolved:

netfilter: conntrack: add missing netlink policy validations

Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.

These attributes are used by the kernel without any validation. Extend the netlink policies accordingly.

Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..]

and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from a258860e01b80e8f554a4ab1a6c95e6042eb8b73 to 0fbae1e74493d5a160a70c51aeba035d8266ea7d (excl.) affected from a258860e01b80e8f554a4ab1a6c95e6042eb8b73 to f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05 (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from a258860e01b80e8f554a4ab1a6c95e6042eb8b73 to 0fbae1e74493d5a160a70c51aeba035d8266ea7d (excl.)
affected from a258860e01b80e8f554a4ab1a6c95e6042eb8b73 to f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 2.6.27 is affected unaffected from 0 to 2.6.27 (excl.) unaffected from 6.19.10 to 6.19.* (incl.) unaffected from 7.0-rc5 to * (incl.)

Vendor

Linux

Product

Linux

Versions

Default: affected

Version 2.6.27 is affected
unaffected from 0 to 2.6.27 (excl.)
unaffected from 6.19.10 to 6.19.* (incl.)
unaffected from 7.0-rc5 to * (incl.)

References

CVE-2026-31407 PUBLISHED

netfilter: conntrack: add missing netlink policy validations

Product Status

References