CVE-2026-31417

Vulnerability

Overview

CVE-2026-31417 is a high-severity vulnerability in the Linux kernel's X.25 network protocol implementation. The root cause is an integer overflow in the x25_sock.fraglen field, which accumulates the length of incoming fragmented packets. Without a proper bounds check, an attacker can cause fraglen to wrap around, leading to unexpected behavior and potential system crashes or memory corruption.

Exploitation

An attacker with network access to a system using the X.25 protocol can send a sequence of specially crafted fragmented packets. The overflow occurs when the cumulative length of fragments exceeds the maximum-sized fragments exceeds the maximum value of the fraglen variable. No authentication is required beyond the ability to send X.25 frames to the target. The vulnerability is triggered during packet reassembly, before any data is delivered to the application layer.

Impact

Successful exploitation results in a denial of service (DoS) condition. The kernel may panic, hang, or corrupt memory, or behave unpredictably, potentially crashing the entire system. The CVSS v3 base score of 7.5 reflects the high availability impact. There is no evidence of remote code execution or privilege escalation from this vulnerability alone.

Mitigation

The fix adds an overflow check before accumulating fraglen and ensures that fraglen is reset when the fragment queue is purged in x25_clear_queues(). Patches have been applied to the stable kernel branches as referenced in the commit history [1][2][3][4]. Users should update their systems to the latest patched kernel version to mitigate this issue.