Cyber Resilience

CVE-2026-31414

Critical

Published: 13 April 2026

Published
13 April 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0038 29.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31414 is a critical-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31414 is a vulnerability in the Linux kernel's netfilter nf_conntrack_expect subsystem. The flaw stems from using nfct_help() without holding a reference to the master conntrack, rendering it unsafe when dumping the helper name via ctnetlink and /proc interfaces. Published on 2026-04-13, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for widespread impact.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction or privileges required. Exploitation targets the conntrack expectation handling, potentially leading to high confidentiality, integrity, and availability impacts, such as kernel crashes, data corruption, or arbitrary code execution given the unsafe reference handling.

Mitigation requires updating to patched Linux kernel versions via stable repository commits, including 3dfd3f7712b5a800f2ba632179e9b738076a51f0, 4bd1b3d839172724b33d8d02c5a4ff6a1c775417, 847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781, b53294bff19e56ada2f230ceb8b1ffde61cc3817, and e7ccaa0a62a8ff2be5d521299ce79390c318d306. These patches enforce use of expect->helper for dumping and fallback to exp->master->helper in ctnetlink paths without explicit user-provided helpers, while leveraging held references on the master conntrack.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: use expect->helper Use expect->helper in ctnetlink and /proc to dump the helper name. Using nfct_help() without holding a reference to the master conntrack is unsafe. Use exp->master->helper in…

more

ctnetlink path if userspace does not provide an explicit helper when creating an expectation to retain the existing behaviour. The ctnetlink expectation path holds the reference on the master conntrack and nf_conntrack_expect lock and the nfnetlink glue path refers to the master ct that is attached to the skb.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated kernel RCE/DoS via netfilter conntrack (AV:N, no auth) directly enables initial access by exploiting a public-facing Linux system.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22984Same product: Linux Linux Kernel
CVE-2026-43037Same product: Linux Linux Kernel
CVE-2026-31478Same product: Linux Linux Kernel
CVE-2026-31668Same product: Linux Linux Kernel
CVE-2026-31612Same product: Linux Linux Kernel
CVE-2026-43186Same product: Linux Linux Kernel
CVE-2026-31718Same product: Linux Linux Kernel
CVE-2026-23427Same product: Linux Linux Kernel
CVE-2026-43055Same product: Linux Linux Kernel
CVE-2026-31649Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 2.6.30 — 6.1.168 · 6.2 — 6.6.134 · 6.7 — 6.12.81

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identifying, reporting, and patching the unsafe reference handling flaw in the Linux kernel's nf_conntrack_expect subsystem.

detect

Mandates vulnerability scanning to identify Linux kernel versions vulnerable to this nf_conntrack_expect reference flaw.

detect

Ensures receipt and dissemination of security advisories for critical kernel vulnerabilities like CVE-2026-31414 to prompt remediation.

References