CVE-2026-31417
Published: 13 April 2026
Summary
CVE-2026-31417 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31417 is an integer overflow vulnerability in the Linux kernel's X.25 protocol implementation within the net/x25 subsystem. It occurs when accumulating packet fragments, as the x25_sock.fraglen counter lacks bounds checking, potentially allowing it to exceed its limits. Additionally, fraglen is not reset during the purging of the fragment_queue in the x25_clear_queues() function, exacerbating the issue. The vulnerability affects Linux kernels that support the X.25 protocol and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact without confidentiality or integrity effects.
A remote, unauthenticated attacker can exploit this vulnerability by sending crafted X.25 packets to a vulnerable system, triggering the overflow in fraglen during fragment accumulation. This leads to a kernel crash or denial of service, as the unchecked accumulation disrupts normal packet processing. No privileges or user interaction are required, and exploitation is straightforward over the network given the low attack complexity.
Mitigation is provided through upstream patches committed to Linux kernel stable trees, as documented in the referenced kernel.org git commits. These fixes add an explicit check to prevent x25_sock.fraglen from overflowing during packet accumulation and ensure fraglen is reset when purging the fragment_queue in x25_clear_queues(). Security practitioners should update to kernels incorporating these commits (e.g., 1734bd85c5e0, 4e2d1bcef78d, 6e568835ea54, 798d613afb64, 8c92969c197b) and consider disabling X.25 if unused, as it is a legacy protocol rarely required in modern environments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21938
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix overflow when accumulating packets Add a check to ensure that `x25_sock.fraglen` does not overflow. The `fraglen` also needs to be resetted when purging `fragment_queue` in `x25_clear_queues()`.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow in X.25 fragment handling enables remote unauthenticated crafted packets to crash the kernel, directly matching Application or System Exploitation for Endpoint Denial of Service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of known flaws like the integer overflow in the X.25 protocol by applying upstream kernel patches.
Enables disabling unnecessary legacy protocols such as X.25 to eliminate exposure to the fraglen overflow vulnerability.
Implements denial-of-service protections at network entry points to mitigate remote crafted packet floods targeting the X.25 stack.