CVE-2026-31685 PUBLISHED

netfilter: ip6t_eui64: reject invalid MAC header for all packets

Assigner: Linux
Reserved: 09.03.2026 Published: 25.04.2026 Updated: 27.04.2026

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ip6t_eui64: reject invalid MAC header for all packets

eui64_mt6() derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address.

The existing guard only rejects an invalid MAC header when par->fragoff != 0. For packets with par->fragoff == 0, eui64_mt6() can still reach eth_hdr(skb) even when the MAC header is not valid.

Fix this by removing the par->fragoff != 0 condition so that packets with an invalid MAC header are rejected before accessing eth_hdr(skb).

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CVSS Score: 9.4

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 288138418bef956f8b295751a4536c60f0e89f4a (excl.)
  • affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 9eda5478746ef7dc0e4e537b5a5e4b0ca1027091 (excl.)
  • affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 807d6ee15804df6f01a35c910f09612e858739a6 (excl.)
  • affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 309ae3e9a51a69699ca94eac5fac5688fa562d55 (excl.)
  • affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to fdce0b3590f724540795b874b4c8850c90e6b0a8 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 2.6.12 is affected
  • unaffected from 0 to 2.6.12 (excl.)
  • unaffected from 6.6.136 to 6.6.* (incl.)
  • unaffected from 6.12.83 to 6.12.* (incl.)
  • unaffected from 6.18.24 to 6.18.* (incl.)
  • unaffected from 6.19.14 to 6.19.* (incl.)
  • unaffected from 7.0 to * (incl.)

References