CVE-2026-31495
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
22/04/2026
Last modified:
28/04/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
netfilter: ctnetlink: use netlink policy range checks<br />
<br />
Replace manual range and mask validations with netlink policy<br />
annotations in ctnetlink code paths, so that the netlink core rejects<br />
invalid values early and can generate extack errors.<br />
<br />
- CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at<br />
policy level, removing the manual >= TCP_CONNTRACK_MAX check.<br />
- CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE<br />
(14). The normal TCP option parsing path already clamps to this value,<br />
but the ctnetlink path accepted 0-255, causing undefined behavior when<br />
used as a u32 shift count.<br />
- CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with<br />
CTA_FILTER_F_ALL, removing the manual mask checks.<br />
- CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding<br />
a new mask define grouping all valid expect flags.<br />
<br />
Extracted from a broader nf-next patch by Florian Westphal, scoped to<br />
ctnetlink for the fixes tree.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.22.1 (including) | 5.10.253 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.203 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.168 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.131 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.80 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.21 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 6.19.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:2.6.22:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2ef71307c86a9f866d6e28f1a0c06e2e9d794474
- https://git.kernel.org/stable/c/435b576cd2faa75154777868f8cbb73bf71644d3
- https://git.kernel.org/stable/c/45c33e79ae705b7af97e3117672b6cd258dd0b1b
- https://git.kernel.org/stable/c/4f7d25f3f0786402ba48ff7d13b6241d77d975f5
- https://git.kernel.org/stable/c/675c913b940488a84effdeeac5a1cfb657b59804
- https://git.kernel.org/stable/c/8f15b5071b4548b0aafc03b366eb45c9c6566704
- https://git.kernel.org/stable/c/c6cb41eaae875501eaaa487b8db6539feb092292
- https://git.kernel.org/stable/c/fcec5ce2d73a41668b24e3f18c803541602a59f6