2455331 – (CVE-2026-31407) CVE-2026-31407 kernel: netfilter: conntrack: add missing netlink policy validations

Bug 2455331 (CVE-2026-31407) - CVE-2026-31407 kernel: netfilter: conntrack: add missing netlink policy validations

Summary: CVE-2026-31407 kernel: netfilter: conntrack: add missing netlink policy valid...

Keywords:
Status:	NEW
Alias:	CVE-2026-31407
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-06 09:01 UTC by OSIDB Bzimport
Modified:	2026-04-06 11:47 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-06 09:01:12 UTC

In the Linux kernel, the following vulnerability has been resolved:

netfilter: conntrack: add missing netlink policy validations

Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.

These attributes are used by the kernel without any validation.
Extend the netlink policies accordingly.

Quoting the reporter:
  nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE
  value directly to ct->proto.sctp.state without checking that it is
  within the valid range. [..]

  and: ... with exp->dir = 100, the access at
  ct->master->tuplehash[100] reads 5600 bytes past the start of a
  320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by
  UBSAN.

Comment 1 Keith Grant 2026-04-06 11:46:15 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026040628-CVE-2026-31407-6abd@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.