Cyber Resilience

CVE-2026-31417

HighUpdated

Published: 13 April 2026

Published
13 April 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0012 30.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31417 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31417 is an integer overflow vulnerability in the Linux kernel's X.25 protocol implementation within the net/x25 subsystem. It occurs when accumulating packet fragments, as the x25_sock.fraglen counter lacks bounds checking, potentially allowing it to exceed its limits. Additionally, fraglen is not reset during the purging of the fragment_queue in the x25_clear_queues() function, exacerbating the issue. The vulnerability affects Linux kernels that support the X.25 protocol and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact without confidentiality or integrity effects.

A remote, unauthenticated attacker can exploit this vulnerability by sending crafted X.25 packets to a vulnerable system, triggering the overflow in fraglen during fragment accumulation. This leads to a kernel crash or denial of service, as the unchecked accumulation disrupts normal packet processing. No privileges or user interaction are required, and exploitation is straightforward over the network given the low attack complexity.

Mitigation is provided through upstream patches committed to Linux kernel stable trees, as documented in the referenced kernel.org git commits. These fixes add an explicit check to prevent x25_sock.fraglen from overflowing during packet accumulation and ensure fraglen is reset when purging the fragment_queue in x25_clear_queues(). Security practitioners should update to kernels incorporating these commits (e.g., 1734bd85c5e0, 4e2d1bcef78d, 6e568835ea54, 798d613afb64, 8c92969c197b) and consider disabling X.25 if unused, as it is a legacy protocol rarely required in modern environments.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix overflow when accumulating packets Add a check to ensure that `x25_sock.fraglen` does not overflow. The `fraglen` also needs to be resetted when purging `fragment_queue` in `x25_clear_queues()`.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Integer overflow in X.25 fragment handling enables remote unauthenticated crafted packets to crash the kernel, directly matching Application or System Exploitation for Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31662Same product: Linux Linux Kernel
CVE-2025-21717Same product: Linux Linux Kernel
CVE-2026-31656Same product: Linux Linux Kernel
CVE-2026-43006Same product: Linux Linux Kernel
CVE-2025-21794Same product: Linux Linux Kernel
CVE-2026-31557Same product: Linux Linux Kernel
CVE-2026-23139Same product: Linux Linux Kernel
CVE-2026-31539Same product: Linux Linux Kernel
CVE-2026-31676Same product: Linux Linux Kernel
CVE-2026-43029Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
2.6.12, 7.0 · 2.6.12.1 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.168

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of known flaws like the integer overflow in the X.25 protocol by applying upstream kernel patches.

prevent

Enables disabling unnecessary legacy protocols such as X.25 to eliminate exposure to the fraglen overflow vulnerability.

preventdetect

Implements denial-of-service protections at network entry points to mitigate remote crafted packet floods targeting the X.25 stack.

References