CVE-2026-31662
Published: 24 April 2026
Summary
CVE-2026-31662 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation of the integer underflow flaw in the Linux kernel's TIPC GRP_ACK_MSG handler via upstream patches directly prevents exploitation by duplicate acknowledgments.
Denial-of-service protection mechanisms such as rate limiting or filtering of TIPC group acknowledgment messages prevent and detect remote flooding attacks that trigger the bc_ackers underflow.
Restricting kernel functionality to least required by disabling TIPC protocol when unnecessary eliminates exposure to this TIPC-specific broadcast congestion denial-of-service vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer underflow in TIPC GRP_ACK_MSG handler enables remote unauthenticated attacker to trigger persistent broadcast stall via duplicate ACKs, directly matching Application or System Exploitation for Endpoint DoS (no other techniques apply as impact is strictly availability).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements bc_ackers on every inbound group ACK, even when the same member has already acknowledged the current…
more
broadcast round. Because bc_ackers is a u16, a duplicate ACK received after the last legitimate ACK wraps the counter to 65535. Once wrapped, tipc_group_bc_cong() keeps reporting congestion and later group broadcasts on the affected socket stay blocked until the group is recreated. Fix this by ignoring duplicate or stale ACKs before touching bc_acked or bc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and prevents the underflow path.
Deeper analysisAI
CVE-2026-31662 is an integer underflow vulnerability in the Linux kernel's Transparent Inter-Process Communication (TIPC) subsystem. The issue resides in the GRP_ACK_MSG handler within tipc_group_proto_rcv(), which decrements the bc_ackers counter—a 16-bit unsigned integer (u16)—on every inbound group acknowledgment, including duplicates from the same member. This leads to underflow after the final legitimate ACK, wrapping the counter to 65535 and causing tipc_group_bc_cong() to falsely report congestion, thereby blocking subsequent group broadcasts on the affected socket until the group is manually recreated.
A remote network attacker requires no privileges or user interaction to exploit this flaw. By sending duplicate GRP_ACK_MSG packets after the last valid acknowledgment in a broadcast round, the attacker triggers the underflow, resulting in a denial-of-service condition that persistently stalls TIPC group broadcasts. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-191 (Integer Underflow).
Mitigation is provided through upstream Linux kernel patches in the stable repository. The fix, detailed in commits such as 1b6f13f626665cac67ba5a012765427680518711 and others, ignores duplicate or stale ACKs before modifying bc_acked or bc_ackers, ensuring idempotent handling and preventing the underflow path. Security practitioners should update affected kernel versions accordingly.
Details
- CWE(s)