CVE-2026-31407
Published: 06 April 2026
Summary
CVE-2026-31407 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31407 is a vulnerability in the Linux kernel's netfilter conntrack subsystem, stemming from missing netlink policy validations for certain attributes used in SCTP and ctnetlink processing. Reported by Hyunwoo Kim, it allows out-of-bounds access, such as nlattr_to_sctp() directly assigning the user-supplied CTA_PROTOINFO_SCTP_STATE value to ct->proto.sctp.state without range validation, and invalid exp->dir values (e.g., 100) triggering slab-out-of-bounds reads up to 5600 bytes past the nf_conn object boundary, as confirmed by UBSAN.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N) via the netlink interface. Successful exploitation enables high confidentiality impact (C:H) through information disclosure from out-of-bounds reads and high availability impact (A:H) potentially via memory corruption or denial of service, with no integrity impact (I:N) and unsynchronized scope (S:U). The CVSS v3.1 base score is 7.1.
Mitigation requires applying upstream Linux kernel patches from the stable repository, which extend netlink policies to validate the affected attributes. Key commits include 0fbae1e74493d5a160a70c51aeba035d8266ea7d, 67c53c1978cef3c504237275e39c857e2f6af56e, 9174d28f3f15d8c4962f5980c0be167633880443, c5e918390002edf0cff80a0e7ce1f86f16a9507c, and f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19197
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies…
more
accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel OOB read in netfilter/conntrack enables info disclosure (T1212 for potential credential leaks, T1068 for privilege escalation via kernel context) and DoS via memory corruption (T1499).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-supplied netlink attributes like CTA_PROTOINFO_SCTP_STATE and exp->dir to prevent out-of-bounds access in kernel conntrack processing.
Mandates timely remediation of the specific kernel flaw through upstream patches that extend netlink policies for SCTP and ctnetlink attributes.
Provides memory protection mechanisms that mitigate the impact of slab-out-of-bounds reads in nf_conn objects caused by unvalidated inputs.