CVE-2026-31414
Published: 13 April 2026
Summary
CVE-2026-31414 is a critical-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31414 is a vulnerability in the Linux kernel's netfilter nf_conntrack_expect subsystem. The flaw stems from using nfct_help() without holding a reference to the master conntrack, rendering it unsafe when dumping the helper name via ctnetlink and /proc interfaces. Published on 2026-04-13, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for widespread impact.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction or privileges required. Exploitation targets the conntrack expectation handling, potentially leading to high confidentiality, integrity, and availability impacts, such as kernel crashes, data corruption, or arbitrary code execution given the unsafe reference handling.
Mitigation requires updating to patched Linux kernel versions via stable repository commits, including 3dfd3f7712b5a800f2ba632179e9b738076a51f0, 4bd1b3d839172724b33d8d02c5a4ff6a1c775417, 847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781, b53294bff19e56ada2f230ceb8b1ffde61cc3817, and e7ccaa0a62a8ff2be5d521299ce79390c318d306. These patches enforce use of expect->helper for dumping and fallback to exp->master->helper in ctnetlink paths without explicit user-provided helpers, while leveraging held references on the master conntrack.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21932
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: use expect->helper Use expect->helper in ctnetlink and /proc to dump the helper name. Using nfct_help() without holding a reference to the master conntrack is unsafe. Use exp->master->helper in…
more
ctnetlink path if userspace does not provide an explicit helper when creating an expectation to retain the existing behaviour. The ctnetlink expectation path holds the reference on the master conntrack and nf_conntrack_expect lock and the nfnetlink glue path refers to the master ct that is attached to the skb.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated kernel RCE/DoS via netfilter conntrack (AV:N, no auth) directly enables initial access by exploiting a public-facing Linux system.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identifying, reporting, and patching the unsafe reference handling flaw in the Linux kernel's nf_conntrack_expect subsystem.
Mandates vulnerability scanning to identify Linux kernel versions vulnerable to this nf_conntrack_expect reference flaw.
Ensures receipt and dissemination of security advisories for critical kernel vulnerabilities like CVE-2026-31414 to prompt remediation.