CVE-2026-31495

Vulnerability

CVE-2026-31495 addresses missing range and mask validation in the Linux kernel's netfilter ctnetlink subsystem. The code previously performed manual checks for several netlink attributes, but these were incomplete. Specifically, CTA_PROTOINFO_TCP_STATE was only checked against TCP_CONNTRACK_MAX without rejecting values above TCP_CONNTRACK_SYN_SENT2, and CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY accepted values 0–255, while the normal TCP path clamps to TCP_MAX_WSCALE (14). Using an out-of-range window scale value as a shift count could cause undefined behavior [1][2].

Exploitation

An attacker with the ability to sendmsg() access to a netlink socket (typically requiring CAP_NET_ADMIN) could craft a netlink message containing a ctnetlink request with an invalid TCP window scale value (e.g., 15–255). The kernel would then use this value as a shift count in a u32 operation, leading to undefined behavior. No authentication beyond netlink socket access is needed, but the attacker must be able to communicate with the ctnetlink handler [1][2].

Impact

Successful exploitation could result in a denial of service (system crash) or potentially arbitrary code execution, depending on the compiler and architecture. The undefined shift operation may corrupt memory or cause unpredictable control flow. The CVSS v3 score is 5.5 (Medium), reflecting the need for local access and privileges [1][2].

Mitigation

The fix replaces manual checks with netlink policy annotations (NLA_POLICY_RANGE, NLA_POLICY_MASK) so that the netlink core rejects invalid values early and provides extack errors. The patch has been applied to the Linux kernel stable trees [3][4]. Users should update to a kernel containing the fix commit 435b576cd2fa or later.