CVE-2026-31495

Source
https://cve.org/CVERecord?id=CVE-2026-31495
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31495.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31495
Downstream
Related
Published
2026-04-22T13:54:17.591Z
Modified
2026-07-03T18:29:29.960002149Z
Summary
netfilter: ctnetlink: use netlink policy range checks
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: use netlink policy range checks

Replace manual range and mask validations with netlink policy annotations in ctnetlink code paths, so that the netlink core rejects invalid values early and can generate extack errors.

  • CTAPROTOINFOTCPSTATE: reject values > TCPCONNTRACKSYNSENT2 at policy level, removing the manual >= TCPCONNTRACKMAX check.
  • CTAPROTOINFOTCPWSCALEORIGINAL/REPLY: reject values > TCPMAXWSCALE (14). The normal TCP option parsing path already clamps to this value, but the ctnetlink path accepted 0-255, causing undefined behavior when used as a u32 shift count.
  • CTAFILTERORIGFLAGS/REPLYFLAGS: use NLAPOLICYMASK with CTAFILTERF_ALL, removing the manual mask checks.
  • CTAEXPECTFLAGS: use NLAPOLICYMASK with NFCTEXPECT_MASK, adding a new mask define grouping all valid expect flags.

Extracted from a broader nf-next patch by Florian Westphal, scoped to ctnetlink for the fixes tree.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31495.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4
Fixed
435b576cd2faa75154777868f8cbb73bf71644d3
Fixed
2ef71307c86a9f866d6e28f1a0c06e2e9d794474
Fixed
4f7d25f3f0786402ba48ff7d13b6241d77d975f5
Fixed
fcec5ce2d73a41668b24e3f18c803541602a59f6
Fixed
675c913b940488a84effdeeac5a1cfb657b59804
Fixed
c6cb41eaae875501eaaa487b8db6539feb092292
Fixed
45c33e79ae705b7af97e3117672b6cd258dd0b1b
Fixed
8f15b5071b4548b0aafc03b366eb45c9c6566704

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31495.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.22
Fixed
5.10.253
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.203
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.168
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.131
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.80
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.21
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.11

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31495.json"