Linux kernel netfilter conntrack netlink OOB read via SCTP
CVE-2026-31407 Published on April 6, 2026
netfilter: conntrack: add missing netlink policy validations
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: add missing netlink policy validations
Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.
These attributes are used by the kernel without any validation.
Extend the netlink policies accordingly.
Quoting the reporter:
nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE
value directly to ct->proto.sctp.state without checking that it is
within the valid range. [..]
and: ... with exp->dir = 100, the access at
ct->master->tuplehash[100] reads 5600 bytes past the start of a
320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by
UBSAN.
Products Associated with CVE-2026-31407
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version a258860e01b80e8f554a4ab1a6c95e6042eb8b73 and below 0fbae1e74493d5a160a70c51aeba035d8266ea7d is affected.
- Version a258860e01b80e8f554a4ab1a6c95e6042eb8b73 and below f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05 is affected.
- Version 2.6.27 is affected.
- Before 2.6.27 is unaffected.
- Version 6.19.10, <= 6.19.* is unaffected.
- Version 7.0-rc5, <= * is unaffected.