CVE-2026-31684

The tcf_csum_ops->act() function in the Linux kernel's act_csum classifier walks nested VLAN headers directly from skb->data when a packet still has in-payload VLAN tags. Before this fix, the code did not use pskb_may_pull() to ensure that a full VLAN header (VLAN_HLEN bytes) was present in the linear area before reading vlan->h_vlan_encapsulated_proto and subsequently calling skb_pull(VLAN_HLEN). If only part of an inner VLAN header had been linearized, the read could go past the linear area, leading to an out-of-bounds access, and the skb_pull() call could corrupt the socket buffer's internal state. [1] [2] [3] [4]

The vulnerability resides in the network path where an attacker can craft a packet carrying multiple 802.1Q or 802.1ad VLAN headers, causing the kernel to attempt to parse multiple encapsulations. The attacker does not need any special privileges; the packet can be sent from a user space application or over the network to a host that uses the act_csum action in its traffic control rules. The kernel's existing error path drops the packet if the header is not fully available, but the missing linearity check defeats that safeguard. [1]

An attacker who successfully triggers the bug could cause a kernel crash (out-of-bounds read and kernel panic) leading to a denial of service (DoS) on the affected system. The CVSS v3 score of 5.5 (Medium) reflects the availability impact, with no confidentiality or integrity compromise expected. The issue does not appear to be exploitable for code execution, but it can reliably crash the kernel if the attack is repeated. [2] [3]

The fix adds a pskb_may_pull(skb, VLAN_HLEN) check before each nested VLAN header access, ensuring the header is fully linear before reading or pulling. If the check fails, the packet is dropped via the existing error path without performing the VLAN parsing. The fix has been applied to multiple stable kernel branches, and it is recommended to update to the latest patched kernel version to mitigate CVE-2026-31684. [1] [2] [3] [4]