CVE-2026-31738
Description
In the Linux kernel, the following vulnerability has been resolved:
vxlan: validate ND option lengths in vxlan_na_create
vxlan_na_create() walks ND options according to option-provided lengths. A malformed option can make the parser advance beyond the computed option span or use a too-short source LLADDR option payload.
Validate option lengths against the remaining NS option area before advancing, and only read source LLADDR when the option is large enough for an Ethernet address.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's VXLAN implementation, missing ND option length validation in vxlan_na_create() allows a malformed packet to cause out-of-bounds read, leading to potential information disclosure.
The vulnerability resides in the Linux kernel's VXLAN module, specifically in the function vxlan_na_create(). This function processes Neighbor Discovery (ND) options and advances a parser based on option-provided lengths. Due to insufficient validation, a malformed ND option can cause the parser to advance beyond the computed option span or use a too-short source LLADDR option payload, leading to an out-of-bounds read [1].
An attacker can trigger the vulnerability by sending a specially crafted VXLAN packet to a target system. No authentication is required if the system is listening on a VXLAN interface. The malformed ND option manipulates the length field to cause the parser to read beyond the intended buffer boundaries, potentially accessing kernel memory that should be inaccessible [2].
The impact is limited to an out-of-bounds read, which could leak sensitive kernel memory contents. This information disclosure could aid an attacker in bypassing security mechanisms like KASLR. The CVSS v3 score of 5.5 (Medium) reflects the need for network access and the likelihood of some information disclosure, but not arbitrary control [3].
The fix is available in stable kernel commits that add proper validation of ND option lengths before advancing the parser, ensuring the source LLADDR is only read when the option is sufficiently large for an Ethernet address [4]. Systems should apply these patches from the respective stable kernels to mitigate the vulnerability.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.12.18,<3.13
- cpe:2.3:o:linux:linux_kernel:3.14:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:3.14:rc8:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/2029712fb2c87e9a8c75094906f2ee29bf08c500nvdPatch
- git.kernel.org/stable/c/602596c69a70e50d9ab8c6ae0290a01f88229dd7nvdPatch
- git.kernel.org/stable/c/901c1dd3bab2955d7e664f914c374c8c3ac2b958nvdPatch
- git.kernel.org/stable/c/afa9a05e6c4971bd5586f1b304e14d61fb3d9385nvdPatch
- git.kernel.org/stable/c/b69c4236255bd8de16cd876e58c6f0867d1d78b1nvdPatch
- git.kernel.org/stable/c/de20d2e3b9179d132f5f5b44e490d7c916c6321bnvdPatch
- git.kernel.org/stable/c/e476745917a1e288eb15e7ff49d286a86a4861d3nvdPatch
- git.kernel.org/stable/c/eddfce70a6f3107d1679b0c2fcbeb96b593bd679nvdPatch
News mentions
0No linked articles in our index yet.