Cyber Resilience

CVE-2026-31407

HighUpdated

Published: 06 April 2026

Published
06 April 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0001 1.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31407 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31407 is a vulnerability in the Linux kernel's netfilter conntrack subsystem, stemming from missing netlink policy validations for certain attributes used in SCTP and ctnetlink processing. Reported by Hyunwoo Kim, it allows out-of-bounds access, such as nlattr_to_sctp() directly assigning the user-supplied CTA_PROTOINFO_SCTP_STATE value to ct->proto.sctp.state without range validation, and invalid exp->dir values (e.g., 100) triggering slab-out-of-bounds reads up to 5600 bytes past the nf_conn object boundary, as confirmed by UBSAN.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N) via the netlink interface. Successful exploitation enables high confidentiality impact (C:H) through information disclosure from out-of-bounds reads and high availability impact (A:H) potentially via memory corruption or denial of service, with no integrity impact (I:N) and unsynchronized scope (S:U). The CVSS v3.1 base score is 7.1.

Mitigation requires applying upstream Linux kernel patches from the stable repository, which extend netlink policies to validate the affected attributes. Key commits include 0fbae1e74493d5a160a70c51aeba035d8266ea7d, 67c53c1978cef3c504237275e39c857e2f6af56e, 9174d28f3f15d8c4962f5980c0be167633880443, c5e918390002edf0cff80a0e7ce1f86f16a9507c, and f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies…

more

accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Why these techniques?

Local kernel OOB read in netfilter/conntrack enables info disclosure (T1212 for potential credential leaks, T1068 for privilege escalation via kernel context) and DoS via memory corruption (T1499).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31699Same product: Linux Linux Kernel
CVE-2024-51729Same product: Linux Linux Kernel
CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 2.6.27 — 6.6.136 · 6.7 — 6.12.83 · 6.13 — 6.18.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied netlink attributes like CTA_PROTOINFO_SCTP_STATE and exp->dir to prevent out-of-bounds access in kernel conntrack processing.

prevent

Mandates timely remediation of the specific kernel flaw through upstream patches that extend netlink policies for SCTP and ctnetlink attributes.

prevent

Provides memory protection mechanisms that mitigate the impact of slab-out-of-bounds reads in nf_conn objects caused by unvalidated inputs.

References