Cyber Resilience

CVE-2026-31674

High

Published: 25 April 2026

Published
25 April 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0002 5.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31674 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31674 is a vulnerability in the Linux kernel's netfilter subsystem, specifically the ip6t_rt module used for IPv6 routing matches in iptables. The issue arises because the rt_mt6_check() function does not reject rules where the addrnr value exceeds IP6T_RT_HOPS, allowing malformed rules to be installed. This leads to out-of-bounds access in the rtinfo->addrs[] array when the match logic executes rt_mt6(), as it assumes addrnr stays within bounds.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) to the system. Successful exploitation results in high confidentiality impact (C:H), such as potential information disclosure through out-of-bounds reads, and high availability impact (A:H), likely causing kernel crashes or denial of service, while maintaining unchanged scope (S:U). The CVSS v3.1 base score is 7.1.

Mitigation involves applying kernel patches that validate and reject oversized addrnr values during rule installation in rt_mt6_check(), preventing malformed rules from being accepted. Relevant stable kernel commits are available at https://git.kernel.org/stable/c/13e3e30ed3b5b67cc1db2bd58a5d09b0f07debfa, https://git.kernel.org/stable/c/29ea965a1353bc8303877422f79c8211e9ba9c55, https://git.kernel.org/stable/c/9d3f027327c2fa265f7f85ead41294792c3296ed, https://git.kernel.org/stable/c/a28ebf6f99de270d6338ccdc3b49f3e818f99b7b, and https://git.kernel.org/stable/c/af9b7e2b765966457f4ec23be5bd34a141f89574. Security practitioners should update affected Linux kernels promptly.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation…

more

so malformed rules are rejected before the match logic can use an out-of-range value.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local kernel OOB read in netfilter enables credential access via info disclosure (T1212) and system DoS via crash (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21743Same product: Linux Linux Kernel
CVE-2026-31679Same product: Linux Linux Kernel
CVE-2026-31484Same product: Linux Linux Kernel
CVE-2026-31568Same product: Linux Linux Kernel
CVE-2026-23327Same product: Linux Linux Kernel
CVE-2026-43028Same product: Linux Linux Kernel
CVE-2026-31774Same product: Linux Linux Kernel
CVE-2026-23325Same product: Linux Linux Kernel
CVE-2026-43042Same product: Linux Linux Kernel
CVE-2024-57945Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
2.6.12, 7.0 · 2.6.12.1 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.168

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of the Linux kernel to add validation in rt_mt6_check() that rejects oversized addrnr values, directly preventing malformed rule installation and out-of-bounds access.

prevent

Information input validation enforces bounds checking on addrnr at netfilter ip6t_rt rule input interfaces, stopping malformed rules from being accepted into rtinfo->addrs[] before match execution.

prevent

Least privilege limits local low-privilege attackers' ability to obtain CAP_NET_ADMIN or equivalent access needed to install exploiting ip6t_rt rules.

References