CVE-2026-31679
Description
In the Linux kernel, the following vulnerability has been resolved:
openvswitch: validate MPLS set/set_masked payload length
validate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for SET/SET_MASKED actions. In action handling, OVS expects fixed-size MPLS key data (struct ovs_key_mpls).
Use the already normalized key_len (masked case included) and reject non-matching MPLS action key sizes.
Reject invalid MPLS action payload lengths early.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing validation of MPLS payload length in OVS SET/SET_MASKED actions could lead to out-of-bounds memory access.
Root
Cause
The Linux kernel's Open vSwitch (openvswitch) module lacked proper validation of the MPLS payload length in validate_set() when processing OVS_KEY_ATTR_MPLS for SET and SET_MASKED actions. The function accepted variable-sized payloads, but the action handling code expects a fixed-size struct ovs_key_mpls. This inconsistency could allow crafted actions with non-matching MPLS key sizes to bypass early checks [1][2].
Exploitation
An attacker with the ability to create or modify OVS flows (e.g., via a local user with certain capabilities, or potentially from a network-accessible OVS management interface) could submit a flow action with an undersized or oversized MPLS key. The missing length check means that such malformed actions would reach the action execution path, where the fixed-size assumption leads to reading beyond the allocated buffer or misinterpreting memory [3][4].
Impact
Successful exploitation may result in an out-of-bounds read or write during MPLS action processing, potentially leading to kernel memory corruption, denial of service, or privilege escalation. The CVSS score of 7.1 (High) reflects the availability and integrity impact, as well as the low attack complexity once an attacker can inject actions [1].
Mitigation
The fix has been merged into the Linux kernel stable tree via commits that reject any MPLS action with a key length not matching sizeof(struct ovs_key_mpls). System administrators should apply the latest stable kernel updates. For systems that cannot be immediately updated, restricting access to OVS flow management can reduce the attack surface [2][3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.5,<5.10.253
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/2ca33b88a79ca42f017ae0f7011280325655438envdPatch
- git.kernel.org/stable/c/4cae986225f8b8679ad86b924918e7d75a96aa61nvdPatch
- git.kernel.org/stable/c/546b68ac893595877ffbd7751e5c55fd1c43ede6nvdPatch
- git.kernel.org/stable/c/68f32ef0683c8d1c05cd2e4f16818fa63ff59c6fnvdPatch
- git.kernel.org/stable/c/8ed7b9930cbc3bc71f868fa79a68700ac88d586anvdPatch
- git.kernel.org/stable/c/98de18d327ef8cbbb704980e359e4872d8c28997nvdPatch
- git.kernel.org/stable/c/bd50c7484c3bb34097571c1334174fb8b7408036nvdPatch
- git.kernel.org/stable/c/c1f97152df8dfb17e855ddf0fc409b7bd13e9700nvdPatch
News mentions
0No linked articles in our index yet.