CVE-2026-31407

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: conntrack: add missing netlink policy validations<br /> <br /> Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.<br /> <br /> These attributes are used by the kernel without any validation.<br /> Extend the netlink policies accordingly.<br /> <br /> Quoting the reporter:<br /> nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE<br /> value directly to ct-&gt;proto.sctp.state without checking that it is<br /> within the valid range. [..]<br /> <br /> and: ... with exp-&gt;dir = 100, the access at<br /> ct-&gt;master-&gt;tuplehash[100] reads 5600 bytes past the start of a<br /> 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by<br /> UBSAN.