Cyber Resilience

CVE-2026-31685

CriticalUpdated

Published: 25 April 2026

Published
25 April 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
EPSS Score 0.0034 25.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31685 is a critical-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31685 is a vulnerability in the Linux kernel's netfilter subsystem, specifically the ip6t_eui64 module. The eui64_mt6() function derives a modified EUI-64 identifier from the Ethernet source address and compares it against the low 64 bits of the IPv6 source address. Previously, it only rejected packets with invalid MAC headers when the fragmentation offset (par->fragoff) was non-zero, allowing non-fragmented packets (par->fragoff == 0) with invalid MAC headers to proceed to eth_hdr(skb) access, which could lead to unsafe memory handling.

Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H). Successful exploitation may result in high confidentiality impact, low integrity impact, and high availability impact against affected systems processing such IPv6 traffic through the ip6t_eui64 match.

Mitigation involves applying kernel patches that remove the par->fragoff != 0 condition from the invalid MAC header check, ensuring all packets with invalid MAC headers are rejected before accessing eth_hdr(skb). Relevant stable branch patches are available at the following kernel git commits: https://git.kernel.org/stable/c/288138418bef956f8b295751a4536c60f0e89f4a, https://git.kernel.org/stable/c/309ae3e9a51a69699ca94eac5fac5688fa562d55, https://git.kernel.org/stable/c/807d6ee15804df6f01a35c910f09612e858739a6, https://git.kernel.org/stable/c/9eda5478746ef7dc0e4e537b5a5e4b0ca1027091, and https://git.kernel.org/stable/c/fdce0b3590f724540795b874b4c8850c90e6b0a8.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6…

more

source address. The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid. Fix this by removing the `par->fragoff != 0` condition so that packets with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated network exploitation of kernel netfilter packet processing (invalid MAC header handling in ip6t_eui64) directly maps to T1190 for initial access against exposed systems; high availability impact via memory corruption also enables T1499.004 for DoS through system exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23148Same product: Linux Linux Kernel
CVE-2026-31476Same product: Linux Linux Kernel
CVE-2026-31598Same product: Linux Linux Kernel
CVE-2026-31706Same product: Linux Linux Kernel
CVE-2026-31711Same product: Linux Linux Kernel
CVE-2026-31631Same product: Linux Linux Kernel
CVE-2026-31636Same product: Linux Linux Kernel
CVE-2026-31501Same product: Linux Linux Kernel
CVE-2026-31448Same product: Linux Linux Kernel
CVE-2026-22984Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
2.6.12, 7.0 · 2.6.12.1 — 6.6.136 · 6.7 — 6.12.83 · 6.13 — 6.18.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely application of the kernel patches directly remediates the ip6t_eui64 flaw by enforcing invalid MAC header rejection for all packets, preventing unsafe eth_hdr(skb) access.

prevent

Strict validation of information inputs like Ethernet MAC headers in IPv6 netfilter processing directly prevents the exploitation of this input validation deficiency.

prevent

Effective boundary protection via netfilter, when flaw-free, controls network packet flows and mitigates risks from malformed IPv6 packets targeting this vulnerability.

References