CVE-2026-31531
Description
In the Linux kernel, the following vulnerability has been resolved:
ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()
When querying a nexthop object via RTM_GETNEXTHOP, the kernel currently allocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient for single nexthops and small Equal-Cost Multi-Path groups, this fixed allocation fails for large nexthop groups like 512 nexthops.
This results in the following warning splat:
WARNING: net/ipv4/nexthop.c:3395 at rtm_get_nexthop+0x176/0x1c0, CPU#20: rep/4608 [...] RIP: 0010:rtm_get_nexthop (net/ipv4/nexthop.c:3395) [...] Call Trace:
rtnetlink_rcv_msg (net/core/rtnetlink.c:6989) netlink_rcv_skb (net/netlink/af_netlink.c:2550) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) ____sys_sendmsg (net/socket.c:721 net/socket.c:736 net/socket.c:2585) ___sys_sendmsg (net/socket.c:2641) __sys_sendmsg (net/socket.c:2671) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Fix this by allocating the size dynamically using nh_nlmsg_size() and using nlmsg_new(), this is consistent with nexthop_notify() behavior. In addition, adjust nh_nlmsg_size_grp() so it calculates the size needed based on flags passed. While at it, also add the size of NHA_FDB for nexthop group size calculation as it was missing too.
This cannot be reproduced via iproute2 as the group size is currently limited and the command fails as follows:
addattr_l ERROR: message exceeded bound of 1048
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A fixed-size skb allocation in Linux kernel's rtm_get_nexthop() causes a warning when querying large nexthop groups, fixed by dynamic allocation.
Vulnerability
Description The Linux kernel's IPv4 nexthop subsystem contains a bug in rtm_get_nexthop(), which allocates a fixed-size socket buffer (NLMSG_GOODSIZE) when handling RTM_GETNEXTHOP requests. This allocation fails for large nexthop groups (e.g., 512 nexthops), triggering a kernel warning splat as shown in the kernel log [1][2][3][4].
Exploitation
An attacker on the system can trigger this bug by sending a crafted RTM_GETNEXTHOP netlink request for a nexthop group that exceeds the fixed buffer size. The attack requires the ability to create such large nexthop groups, which typically necessitates root privileges or CAP_NET_ADMIN. The issue manifests as a kernel warning and stack trace, potentially leading to log flooding and denial of service.
Impact
The primary impact is a kernel warning and potential system instability due to log flooding. The warning does not indicate a memory corruption or code execution risk; however, the function may fail to return results, causing denial of service for legitimate queries. The patch ensures proper dynamic allocation using nlmsg_new() and adjusts size calculations in nh_nlmsg_size_grp(), fixing the issue [1].
Mitigation
The fix is available in Linux kernel commits [1], [2], [3], [4] and is expected to be backported to stable kernels. Users should update to the latest kernel version containing these patches.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.3,<6.12.83
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.