CVE-2026-31503

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udp: Fix wildcard bind conflict check when using hash2<br /> <br /> When binding a udp_sock to a local address and port, UDP uses<br /> two hashes (udptable-&gt;hash and udptable-&gt;hash2) for collision<br /> detection. The current code switches to "hash2" when<br /> hslot-&gt;count &gt; 10.<br /> <br /> "hash2" is keyed by local address and local port.<br /> "hash" is keyed by local port only.<br /> <br /> The issue can be shown in the following bind sequence (pseudo code):<br /> <br /> bind(fd1, "[fd00::1]:8888")<br /> bind(fd2, "[fd00::2]:8888")<br /> bind(fd3, "[fd00::3]:8888")<br /> bind(fd4, "[fd00::4]:8888")<br /> bind(fd5, "[fd00::5]:8888")<br /> bind(fd6, "[fd00::6]:8888")<br /> bind(fd7, "[fd00::7]:8888")<br /> bind(fd8, "[fd00::8]:8888")<br /> bind(fd9, "[fd00::9]:8888")<br /> bind(fd10, "[fd00::10]:8888")<br /> <br /> /* Correctly return -EADDRINUSE because "hash" is used<br /> * instead of "hash2". udp_lib_lport_inuse() detects the<br /> * conflict.<br /> */<br /> bind(fail_fd, "[::]:8888")<br /> <br /> /* After one more socket is bound to "[fd00::11]:8888",<br /> * hslot-&gt;count exceeds 10 and "hash2" is used instead.<br /> */<br /> bind(fd11, "[fd00::11]:8888")<br /> bind(fail_fd, "[::]:8888") /* succeeds unexpectedly */<br /> <br /> The same issue applies to the IPv4 wildcard address "0.0.0.0"<br /> and the IPv4-mapped wildcard address "::ffff:0.0.0.0". For<br /> example, if there are existing sockets bound to<br /> "192.168.1.[1-11]:8888", then binding "0.0.0.0:8888" or<br /> "[::ffff:0.0.0.0]:8888" can also miss the conflict when<br /> hslot-&gt;count &gt; 10.<br /> <br /> TCP inet_csk_get_port() already has the correct check in<br /> inet_use_bhash2_on_bind(). Rename it to<br /> inet_use_hash2_on_bind() and move it to inet_hashtables.h<br /> so udp.c can reuse it in this fix.