CVE-2026-31675
Published: 25 April 2026
Summary
CVE-2026-31675 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the specific kernel flaw through application of patches that add the missing skb_headlen non-zero check.
Addresses the root cause by mandating validation of inputs such as skb_headlen before using them to generate offsets for memory access, preventing the out-of-bounds condition.
Mitigates impacts of out-of-bounds memory access through kernel memory protections like randomization and access controls, reducing exploitability even if the flaw triggers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel OOB read/write in netem allows low-privileged attacker arbitrary memory access, directly enabling privilege escalation via exploitation of the vulnerability.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear…
more
packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using this unconstrained value as an offset into skb->data results in an out-of-bounds memory access. Fix this by verifying skb_headlen(skb) is non-zero before attempting to corrupt the linear data area. Fully non-linear packets will silently bypass the corruption logic.
Deeper analysisAI
CVE-2026-31675 is an out-of-bounds memory access vulnerability in the Linux kernel's networking traffic control subsystem, specifically within the sch_netem (netem) queue discipline. The issue arises in the netem_enqueue() function during packet corruption logic, where get_random_u32_below(skb_headlen(skb)) selects a random index for modifying skb->data. When fully non-linear packets are sent via an AF_PACKET TX_RING over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() triggers a slow path that returns an unconstrained 32-bit random integer, which is then used as an offset into skb->data, resulting in an out-of-bounds access. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by crafting and sending fully non-linear packets through an AF_PACKET TX_RING over an IPIP tunnel while the netem discipline is configured for packet corruption. This triggers the out-of-bounds access during the corruption attempt, potentially allowing arbitrary memory reads or writes depending on the kernel's memory layout and protections, leading to high impacts on confidentiality, integrity, and availability.
Mitigation involves applying upstream kernel patches, as detailed in the referenced stable commit fixes: 13a66ca1e235d4bcd53d12d4c68490cad7f8e46f, 3a2999704ac36cfb4041fed3652d26a3373e8d12, 4fd258e281fa8bc15e9ce2c7691941537e9258ad, a14b56863348686dd0387eea8ce66b85cf455908, and d64cb81dcbd54927515a7f65e5e24affdc73c14b. These patches add a check to ensure skb_headlen(skb) is non-zero before attempting to corrupt the linear data area, causing fully non-linear packets to silently bypass the corruption logic.
Details
- CWE(s)