Cyber Resilience

CVE-2026-31668

Critical

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 35.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31668 is a critical-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-31668 affects the Linux kernel's seg6 lwtunnel implementation, where a single dst_cache is shared between the input path (seg6_input_core()) and output path (seg6_output_core()). These paths perform post-encap SID lookups in different routing contexts, such as ip rules matching on the ingress interface or VRF table separation. The first path to execute populates the cache, while the second reuses it blindly, bypassing its own lookup. The vulnerability carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction. By triggering the shared cache reuse across differing routing contexts, attackers may bypass intended routing decisions, potentially leading to high impacts on confidentiality, integrity, and availability through disrupted or misdirected traffic handling in seg6 environments.

Mitigation requires updating to patched Linux kernel versions via the stable repository commits referenced in the advisory, including https://git.kernel.org/stable/c/17d87d42874f5d6c1a0ccc6d9190dfe82a9a7a6a, https://git.kernel.org/stable/c/1dec91d3b1cefb82635761b7812154af3ef46449, https://git.kernel.org/stable/c/57d0374d14fa667dec6952173b93e7e84486d5c9, https://git.kernel.org/stable/c/6305ad032b03d2ea4181b953a66e19a9a6ed053c, and https://git.kernel.org/stable/c/750569d6987a0ff46317a4b86eb3907e296287bf, which separate the cache into cache_input and cache_output for independent lookups per path.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: seg6: separate dst_cache for input and output paths in seg6 lwtunnel The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can…

more

perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own lookup. Fix this by splitting the cache into cache_input and cache_output, so each path maintains its own cached dst independently.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated network exploitation of the seg6 kernel routing cache flaw directly enables initial access via public-facing network interfaces; misdirected traffic may also support T1498/T1565 impacts but mappings are secondary.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22984Same product: Linux Linux Kernel
CVE-2026-43037Same product: Linux Linux Kernel
CVE-2026-31478Same product: Linux Linux Kernel
CVE-2026-31414Same product: Linux Linux Kernel
CVE-2026-31612Same product: Linux Linux Kernel
CVE-2026-43186Same product: Linux Linux Kernel
CVE-2026-31718Same product: Linux Linux Kernel
CVE-2026-23427Same product: Linux Linux Kernel
CVE-2026-43055Same product: Linux Linux Kernel
CVE-2026-31649Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.10, 7.0 · 4.10.1 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.169

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of system flaws, such as patching the Linux kernel to separate the shared dst_cache into independent cache_input and cache_output for seg6 lwtunnel paths.

prevent

Enforces approved authorizations for information flows, mitigating bypass of routing policy contexts like ip rules on ingress interfaces or VRF table separation due to blind cache reuse.

preventdetect

Monitors and controls communications at system boundaries, helping to block or detect remote exploitation attempts triggering the seg6 input/output path cache discrepancy.

References