FKIE_CVE-2026-31682

Vulnerability from fkie_nvd - Published: 2026-04-25 09:16 - Updated: 2026-04-25 09:16
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns from the linear network header.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2ba4caba423ed94d63006eb1d2227b0332ab7fcd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3a30f6469b058574f49efde61cd6f5d79e576053
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4f397b950c916e9a1f8a4fce04ea0110206cad47
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/658261898130da620fc3d0fbb0523efb3366cb55
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9c55e41c73af5c4511070933b1bd25248521270c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a01aee7cafc575bb82f5529e8734e7052f9b16ea
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bd91ec85aa4c77d645bd2739fc56784157a88ca2
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c68433fd291c9e88c00292095172c62d1997d662
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: linearize skb before parsing ND options\n\nbr_nd_send() parses neighbour discovery options from ns-\u003eopt[] and\nassumes that these options are in the linear part of request.\n\nIts callers only guarantee that the ICMPv6 header and target address\nare available, so the option area can still be non-linear. Parsing\nns-\u003eopt[] in that case can access data past the linear buffer.\n\nLinearize request before option parsing and derive ns from the linear\nnetwork header."
    }
  ],
  "id": "CVE-2026-31682",
  "lastModified": "2026-04-25T09:16:01.913",
  "metrics": {},
  "published": "2026-04-25T09:16:01.913",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2ba4caba423ed94d63006eb1d2227b0332ab7fcd"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3a30f6469b058574f49efde61cd6f5d79e576053"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4f397b950c916e9a1f8a4fce04ea0110206cad47"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/658261898130da620fc3d0fbb0523efb3366cb55"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9c55e41c73af5c4511070933b1bd25248521270c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a01aee7cafc575bb82f5529e8734e7052f9b16ea"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/bd91ec85aa4c77d645bd2739fc56784157a88ca2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/c68433fd291c9e88c00292095172c62d1997d662"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Received"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.