CVE-2026-31685
Published: 25 April 2026
Summary
CVE-2026-31685 is a critical-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely application of the kernel patches directly remediates the ip6t_eui64 flaw by enforcing invalid MAC header rejection for all packets, preventing unsafe eth_hdr(skb) access.
Strict validation of information inputs like Ethernet MAC headers in IPv6 netfilter processing directly prevents the exploitation of this input validation deficiency.
Effective boundary protection via netfilter, when flaw-free, controls network packet flows and mitigates risks from malformed IPv6 packets targeting this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of kernel netfilter packet processing (invalid MAC header handling in ip6t_eui64) directly maps to T1190 for initial access against exposed systems; high availability impact via memory corruption also enables T1499.004 for DoS through system exploitation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6…
more
source address. The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid. Fix this by removing the `par->fragoff != 0` condition so that packets with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
Deeper analysisAI
CVE-2026-31685 is a vulnerability in the Linux kernel's netfilter subsystem, specifically the ip6t_eui64 module. The eui64_mt6() function derives a modified EUI-64 identifier from the Ethernet source address and compares it against the low 64 bits of the IPv6 source address. Previously, it only rejected packets with invalid MAC headers when the fragmentation offset (par->fragoff) was non-zero, allowing non-fragmented packets (par->fragoff == 0) with invalid MAC headers to proceed to eth_hdr(skb) access, which could lead to unsafe memory handling.
Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H). Successful exploitation may result in high confidentiality impact, low integrity impact, and high availability impact against affected systems processing such IPv6 traffic through the ip6t_eui64 match.
Mitigation involves applying kernel patches that remove the par->fragoff != 0 condition from the invalid MAC header check, ensuring all packets with invalid MAC headers are rejected before accessing eth_hdr(skb). Relevant stable branch patches are available at the following kernel git commits: https://git.kernel.org/stable/c/288138418bef956f8b295751a4536c60f0e89f4a, https://git.kernel.org/stable/c/309ae3e9a51a69699ca94eac5fac5688fa562d55, https://git.kernel.org/stable/c/807d6ee15804df6f01a35c910f09612e858739a6, https://git.kernel.org/stable/c/9eda5478746ef7dc0e4e537b5a5e4b0ca1027091, and https://git.kernel.org/stable/c/fdce0b3590f724540795b874b4c8850c90e6b0a8.
Details
- CWE(s)