CVE-2026-31752
Description
In the Linux kernel, the following vulnerability has been resolved:
bridge: br_nd_send: validate ND option lengths
br_nd_send() walks ND options according to option-provided lengths. A malformed option can make the parser advance beyond the computed option span or use a too-short source LLADDR option payload.
Validate option lengths against the remaining NS option area before advancing, and only read source LLADDR when the option is large enough for an Ethernet address.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel bridge's br_nd_send() lacked ND option length validation, allowing out-of-bounds reads via malformed Neighbor Discovery options.
Vulnerability
CVE-2026-31752 is a medium-severity vulnerability in the Linux kernel's bridge networking component. The function br_nd_send() processes Neighbor Discovery (ND) options by walking through them according to lengths provided within each option. The code failed to validate that these option lengths are within the bounds of the remaining ND option area, and also did not check that a source LLADDR LLADDR option is large enough to contain a full Ethernet address before reading it [1][2][3][4].
Exploitation
An attacker on the local network can send a crafted Neighbor Solicitation (NS) message with a malformed ND option that specifies an incorrect length. This can cause the parser to advance beyond the intended option span or to read from a too-short source LLADDR payload. No authentication is required, as the vulnerability is triggered code path is reachable from incoming ND messages processed by the bridge [1][2].
Impact
Successful exploitation can lead to an out-of-bounds read, potentially leaking kernel memory contents or causing a denial of service disruption. The CVSS v3 score of 5.5 reflects a medium severity, with the attack vector being adjacent network and no privileges required [1][2].
Mitigation
The fix was applied in the Linux kernel stable tree via commits that add proper length validation before advancing the option pointer and only reading the source LLADDR when the option is large enough for an Ethernet address [1][2][3][4]. Users should update to a kernel version containing these patches.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=4.15,<5.10.253
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/259466f76f5a2148aff11134e68f4b4c6d52725bnvdPatch
- git.kernel.org/stable/c/82a42eceec7c6bdb0e0da94c0542a173b7ea57f2nvdPatch
- git.kernel.org/stable/c/837392a38445729c22e03d3abcf33f07763efd85nvdPatch
- git.kernel.org/stable/c/850837965af15707fd3142c1cf3c5bfaf022299bnvdPatch
- git.kernel.org/stable/c/c49b9256bbacb6a135654aebd12e4c0e87166b7cnvdPatch
- git.kernel.org/stable/c/e0bfd6d4dc77ab345b6c65eef0cfe9b2f69085aanvdPatch
- git.kernel.org/stable/c/e71303a9190496136e240c4f2872b7b0b16027a7nvdPatch
- git.kernel.org/stable/c/ee02d8991fd7bd86ed6ebd0deb4aab53feb0e43anvdPatch
News mentions
0No linked articles in our index yet.