CVE-2026-31405
Published: 06 April 2026
Summary
CVE-2026-31405 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31405 is an out-of-bounds (OOB) read vulnerability in the Linux kernel's dvb-net subsystem, specifically in the handling of ULE (Unidirectional Lightweight Encapsulation) extension headers. The arrays ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] are sized to 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), allowing values from 0 to 255. When htype is 255, this triggers an OOB read from the function pointer table, and the read value may subsequently be invoked as a function pointer.
A remote network attacker can exploit this vulnerability without privileges or user interaction by sending a specially crafted ULE packet with htype set to 255. The low attack complexity enables unauthenticated exploitation over the network, potentially leading to arbitrary code execution, denial of service, or other impacts due to the function pointer dereference. The vulnerability scores 9.8 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting high confidentiality, integrity, and availability impacts.
Mitigation patches are available in multiple Linux kernel stable branches via the referenced commits, which add a bounds check on htype against the array size before table access. Out-of-range htype values now result in the SNDU (Service Data Unit) being discarded, preventing the OOB access. Security practitioners should update affected kernel versions promptly, particularly those using DVB networking features.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19199
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is…
more
derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be called as a function pointer. Add a bounds check on htype against the array size before either table is accessed. Out-of-range values now cause the SNDU to be discarded.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network packet crafting directly enables exploitation of the exposed dvb-net kernel component for initial access and RCE (T1190/T1210); OOB function pointer dereference also permits DoS outcomes under T1499.004.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely installation of kernel patches that add bounds checks on network-derived htype indices, directly remediating the OOB read vulnerability in ULE extension handling.
Mandates validation of untrusted network inputs like htype before using as array indices, preventing OOB access in dvb-net ULE processing.
Kernel memory protections such as KASLR, SMEP, and supervisor mode execution prevention mitigate exploitation of OOB function pointer reads leading to code execution.