CVE-2026-31674
Published: 25 April 2026
Summary
CVE-2026-31674 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31674 is a vulnerability in the Linux kernel's netfilter subsystem, specifically the ip6t_rt module used for IPv6 routing matches in iptables. The issue arises because the rt_mt6_check() function does not reject rules where the addrnr value exceeds IP6T_RT_HOPS, allowing malformed rules to be installed. This leads to out-of-bounds access in the rtinfo->addrs[] array when the match logic executes rt_mt6(), as it assumes addrnr stays within bounds.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) to the system. Successful exploitation results in high confidentiality impact (C:H), such as potential information disclosure through out-of-bounds reads, and high availability impact (A:H), likely causing kernel crashes or denial of service, while maintaining unchanged scope (S:U). The CVSS v3.1 base score is 7.1.
Mitigation involves applying kernel patches that validate and reject oversized addrnr values during rule installation in rt_mt6_check(), preventing malformed rules from being accepted. Relevant stable kernel commits are available at https://git.kernel.org/stable/c/13e3e30ed3b5b67cc1db2bd58a5d09b0f07debfa, https://git.kernel.org/stable/c/29ea965a1353bc8303877422f79c8211e9ba9c55, https://git.kernel.org/stable/c/9d3f027327c2fa265f7f85ead41294792c3296ed, https://git.kernel.org/stable/c/a28ebf6f99de270d6338ccdc3b49f3e818f99b7b, and https://git.kernel.org/stable/c/af9b7e2b765966457f4ec23be5bd34a141f89574. Security practitioners should update affected Linux kernels promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25641
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation…
more
so malformed rules are rejected before the match logic can use an out-of-range value.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel OOB read in netfilter enables credential access via info disclosure (T1212) and system DoS via crash (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires timely patching of the Linux kernel to add validation in rt_mt6_check() that rejects oversized addrnr values, directly preventing malformed rule installation and out-of-bounds access.
Information input validation enforces bounds checking on addrnr at netfilter ip6t_rt rule input interfaces, stopping malformed rules from being accepted into rtinfo->addrs[] before match execution.
Least privilege limits local low-privilege attackers' ability to obtain CAP_NET_ADMIN or equivalent access needed to install exploiting ip6t_rt rules.