CVE-2026-31418

Vulnerability

In the Linux kernel's netfilter ipset subsystem, the mtype_del() function has a logical flaw when removing entries from a hash bucket. The function counts empty slots below n->pos in variable k, but only drops (releases) the bucket when both n->pos and k are zero. This means that if n->pos still points past deleted slots after all live entries have been removed, the bucket is not treated as empty and is not released, leading to wasted memory. [1][2]

Exploitation

This vulnerability can be triggered by any local user with the ability to delete entries from an ipset (e.g., via iptables or nftables rules that manage ipsets). The attacker does not need special privileges beyond the capability to modify ipset content. Successfully deleting entries in a pattern that leaves n->pos pointing past freed slots will result in the bucket remaining allocated but logically empty. [3][4]

Impact

An attacker able to repeatedly trigger this condition can cause kernel memory to be retained indefinitely for empty buckets. While the immediate impact is memory bloat, under constrained environments this could contribute to denial-of-service conditions. The netfilter subsystem is commonly used in firewalling and network filtering, so the flaw affects systems relying on ipset for network policy enforcement.

Mitigation

The fix corrects the logic to treat a bucket as empty when all positions below n->pos are unused and to release it directly instead of attempting further shrinking. Patches have been applied to the stable kernel trees and are available in commits linked from the CVE references. Users should apply the latest kernel updates to ensure the fix is in place. [1][2][3][4]