CVE-2026-31668
Published: 24 April 2026
Summary
CVE-2026-31668 is a critical-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of system flaws, such as patching the Linux kernel to separate the shared dst_cache into independent cache_input and cache_output for seg6 lwtunnel paths.
Enforces approved authorizations for information flows, mitigating bypass of routing policy contexts like ip rules on ingress interfaces or VRF table separation due to blind cache reuse.
Monitors and controls communications at system boundaries, helping to block or detect remote exploitation attempts triggering the seg6 input/output path cache discrepancy.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of the seg6 kernel routing cache flaw directly enables initial access via public-facing network interfaces; misdirected traffic may also support T1498/T1565 impacts but mappings are secondary.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: seg6: separate dst_cache for input and output paths in seg6 lwtunnel The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can…
more
perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own lookup. Fix this by splitting the cache into cache_input and cache_output, so each path maintains its own cached dst independently.
Deeper analysisAI
CVE-2026-31668 affects the Linux kernel's seg6 lwtunnel implementation, where a single dst_cache is shared between the input path (seg6_input_core()) and output path (seg6_output_core()). These paths perform post-encap SID lookups in different routing contexts, such as ip rules matching on the ingress interface or VRF table separation. The first path to execute populates the cache, while the second reuses it blindly, bypassing its own lookup. The vulnerability carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction. By triggering the shared cache reuse across differing routing contexts, attackers may bypass intended routing decisions, potentially leading to high impacts on confidentiality, integrity, and availability through disrupted or misdirected traffic handling in seg6 environments.
Mitigation requires updating to patched Linux kernel versions via the stable repository commits referenced in the advisory, including https://git.kernel.org/stable/c/17d87d42874f5d6c1a0ccc6d9190dfe82a9a7a6a, https://git.kernel.org/stable/c/1dec91d3b1cefb82635761b7812154af3ef46449, https://git.kernel.org/stable/c/57d0374d14fa667dec6952173b93e7e84486d5c9, https://git.kernel.org/stable/c/6305ad032b03d2ea4181b953a66e19a9a6ed053c, and https://git.kernel.org/stable/c/750569d6987a0ff46317a4b86eb3907e296287bf, which separate the cache into cache_input and cache_output for independent lookups per path.
Details
- CWE(s)