CVE-2026-31682
Published: 25 April 2026
Summary
CVE-2026-31682 is a critical-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 25.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification, reporting, and timely correction of the kernel parsing flaw via upstream patches to eliminate the vulnerability.
Implements memory safeguards such as randomization and non-executable regions to mitigate exploitation of invalid memory access during skb option parsing.
Enables vulnerability scanning to identify systems running vulnerable Linux kernel versions affected by the bridge ND parsing issue.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploit in kernel bridge IPv6 ND parsing enables remote service exploitation (T1210) and system DoS via crashes from OOB access (T1499.004); I:N impact precludes reliable RCE/priv-esc mapping.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only…
more
guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns from the linear network header.
Deeper analysisAI
CVE-2026-31682 is a vulnerability in the Linux kernel's bridge module, specifically in the br_nd_send() function. This function parses Neighbor Discovery (ND) options from the ns->opt[] array in IPv6 neighbor solicitation packets, assuming the options reside in the linear portion of the socket buffer (skb). However, callers of br_nd_send() only guarantee that the ICMPv6 header and target address are linear, leaving the options area potentially non-linear. As a result, parsing can access data beyond the linear buffer boundaries, leading to potential memory corruption or invalid memory access.
The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction. Successful exploitation could result in high confidentiality and availability impacts, such as information disclosure through out-of-bounds reads or denial-of-service via kernel crashes, while integrity impact is none.
Mitigation is provided through upstream kernel patches available in stable branches, as referenced in the following commits: https://git.kernel.org/stable/c/2ba4caba423ed94d63006eb1d2227b0332ab7fcd, https://git.kernel.org/stable/c/3a30f6469b058574f49efde61cd6f5d79e576053, https://git.kernel.org/stable/c/4f397b950c916e9a1f8a4fce04ea0110206cad47, https://git.kernel.org/stable/c/658261898130da620fc3d0fbb0523efb3366cb55, and https://git.kernel.org/stable/c/9c55e41c73af5c4511070933b1bd25248521270c. These patches linearize the skb prior to parsing ND options and derive the neighbor solicitation structure from the linear network header. Security practitioners should update affected Linux kernels to incorporate these fixes.
Details
- CWE(s)