CVE-2026-31674
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS.
rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation so malformed rules are rejected before the match logic can use an out-of-range value.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing bounds check in the Linux kernel's ip6t_rt netfilter module allows oversized addrnr values in the addrnr field, leading to potential out-of-bounds access.
Vulnerability
CVE-2026-31674 is a vulnerability in the Linux kernel's netfilter subsystem, specifically in the ip6t_rt match module for IPv6 routing headers. The root cause is the absence of a validation check on the addrnr field (number of addresses) in rt_mt6_check() during rule installation. The rt_mt6() function expects addrnr to be within the bounds of the rtinfo->addrs[] array, but no such check existed, allowing a user with sufficient privileges to install a rule with an oversized addrnr value [1][2][3][4].
Exploitation
To exploit this vulnerability, an attacker must have the ability to insert netfilter rules, iptables, or nftables rules on the target system. This typically requires root or CAP_NET_ADMIN privileges. By crafting a rule with an addrnr value exceeding IP6T_RT_HOPS, the attacker, the attacker can cause rt_mt6() to read or write beyond the allocated rtinfo->addrs[]` array during packet processing, leading to an out-of-bounds memory access [1][2][3][4].
Impact
Successful exploitation could result in a denial of service (system crash or memory corruption) or, in some cases, potential information disclosure or privilege escalation, depending on the memory layout and kernel hardening. The CVSS v3 score of 7.1 (High) reflects the potential for significant impact, though exploitation requires elevated privileges [1][2][3][4].
Mitigation
The fix was applied in the Linux kernel stable tree via commits that add a check in rt_mt6_check() to reject rules with addrnr exceeding IP6T_RT_HOPS. Users should update their kernel to a version containing these commits. No workaround is available other than restricting access to netfilter rule insertion [1][2][3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12(expand)+ 11 more
- (no CPE)
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.12.1,<5.10.253
- cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/13e3e30ed3b5b67cc1db2bd58a5d09b0f07debfanvdPatch
- git.kernel.org/stable/c/29ea965a1353bc8303877422f79c8211e9ba9c55nvdPatch
- git.kernel.org/stable/c/9d3f027327c2fa265f7f85ead41294792c3296ednvdPatch
- git.kernel.org/stable/c/a28ebf6f99de270d6338ccdc3b49f3e818f99b7bnvdPatch
- git.kernel.org/stable/c/af9b7e2b765966457f4ec23be5bd34a141f89574nvdPatch
- git.kernel.org/stable/c/c6a503a9f4debc654e3a6a7ca1f7fce6a9953c59nvdPatch
- git.kernel.org/stable/c/d8795fde1f78669a87c87ac29fceab2f104daa8cnvdPatch
- git.kernel.org/stable/c/ded71f5684df16fa645cca5bf4fe6b0cd8a46119nvdPatch
News mentions
0No linked articles in our index yet.