CVE-2026-31503
Description
In the Linux kernel, the following vulnerability has been resolved:
udp: Fix wildcard bind conflict check when using hash2
When binding a udp_sock to a local address and port, UDP uses two hashes (udptable->hash and udptable->hash2) for collision detection. The current code switches to "hash2" when hslot->count > 10.
"hash2" is keyed by local address and local port. "hash" is keyed by local port only.
The issue can be shown in the following bind sequence (pseudo code):
bind(fd1, "[fd00::1]:8888") bind(fd2, "[fd00::2]:8888") bind(fd3, "[fd00::3]:8888") bind(fd4, "[fd00::4]:8888") bind(fd5, "[fd00::5]:8888") bind(fd6, "[fd00::6]:8888") bind(fd7, "[fd00::7]:8888") bind(fd8, "[fd00::8]:8888") bind(fd9, "[fd00::9]:8888") bind(fd10, "[fd00::10]:8888")
/* Correctly return -EADDRINUSE because "hash" is used * instead of "hash2". udp_lib_lport_inuse() detects the * conflict. */ bind(fail_fd, "[::]:8888")
/* After one more socket is bound to "[fd00::11]:8888", * hslot->count exceeds 10 and "hash2" is used instead. */ bind(fd11, "[fd00::11]:8888") bind(fail_fd, "[::]:8888") /* succeeds unexpectedly */
The same issue applies to the IPv4 wildcard address "0.0.0.0" and the IPv4-mapped wildcard address "::ffff:0.0.0.0". For example, if there are existing sockets bound to "192.168.1.[1-11]:8888", then binding "0.0.0.0:8888" or "[::ffff:0.0.0.0]:8888" can also miss the conflict when hslot->count > 10.
TCP inet_csk_get_port() already has the correct check in inet_use_bhash2_on_bind(). Rename it to inet_use_hash2_on_bind() and move it to inet_hashtables.h so udp.c can reuse it in this fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
UDP wildcard bind conflict check incorrectly uses hash2 after 10 sockets are bound, allowing wildcard bind to bypass conflict detection.
Vulnerability
In the Linux kernel, when binding a UDP socket to a local address and port, the system uses two hashes for conflict detection: hash (keyed by port only) and hash2 (keyed by address and port). The code switches to hash2 when the number of sockets with the same port in the hash bucket exceeds 10. However, hash2 does not correctly detect conflicts for wildcard bindings, because it only checks collisions among sockets with the same local address, missing the case where a wildcard address should conflict with any specific address on that port.
Exploitation
An unprivileged user can exploit this by binding multiple UDP sockets to distinct local addresses on the same port until the bucket count exceeds 10, then binding a wildcard address (e.g., [::]:8888 or 0.0.0.0:8888) to that port. The kernel incorrectly allows the wildcard bind to succeed, even though it should return -EADDRINUSE. The attack requires the ability to create and bind UDP sockets, but no special privileges or network position.
Impact
A successful exploit allows an attacker to bind a wildcard socket to a port already occupied by specific-address sockets. This can lead to unintended interception of traffic destined for those specific sockets, potentially enabling information disclosure or denial of service.
Mitigation
The issue is fixed in the Linux kernel by porting the correct conflict check from TCP (inet_use_hash2_on_bind) to UDP. The fix ensures that wildcard bind conflicts are properly detected regardless of the hash in use. Users should apply kernel updates containing the relevant commits.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.33.1,<6.1.168
- cpe:2.3:o:linux:linux_kernel:2.6.33:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/0a360f7f73a06ac88f18917055fbcc79694252d7nvdPatch
- git.kernel.org/stable/c/18d84c45def3671d5c89fbdd5d4ab8a3217fe4b4nvdPatch
- git.kernel.org/stable/c/2297e38114316b26ae02f2d205c49b5511c5ed55nvdPatch
- git.kernel.org/stable/c/d6ace0dbcbb7fd285738bb87b42b71b01858c952nvdPatch
- git.kernel.org/stable/c/e537dd15d0d4ad989d56a1021290f0c674dd8b28nvdPatch
- git.kernel.org/stable/c/f1bed05a832ae79be5f7a105da56810eaa59a5f1nvdPatch
News mentions
0No linked articles in our index yet.