CVE-2026-31405
Received Received - Intake
Out-of-Bounds Read in Linux DVB-NET ULE Extension Header

Publication date: 2026-04-06

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be called as a function pointer. Add a bounds check on htype against the array size before either table is accessed. Out-of-range values now cause the SNDU to be discarded.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-06
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31405
EUVD
EUVD-2026-19199
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's media subsystem, specifically in the dvb-net component. It involves an out-of-bounds (OOB) access in the ULE extension header tables used in the function handle_one_ule_extension().

Two tables, ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[], are declared with 255 elements indexed from 0 to 254. However, the index htype is derived from network-controlled data and can have a value from 0 to 255. When htype equals 255, it causes an out-of-bounds read on these tables, potentially leading to the OOB value being called as a function pointer.

The fix involves adding a bounds check on htype before accessing the tables. If htype is out of range, the SNDU (Subnetwork Data Unit) is discarded to prevent the OOB access.


How can this vulnerability impact me? :

This vulnerability can lead to an out-of-bounds read and potentially the execution of unintended function pointers. This may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code within the kernel context.

Since the vulnerability is triggered by network-controlled data, a remote attacker could exploit this by sending specially crafted network packets to the affected system.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version where the issue has been fixed. The fix involves adding a bounds check on the htype index before accessing the extension header tables, preventing out-of-bounds access.

Until the update is applied, avoid processing untrusted or malformed ULE packets that could trigger the out-of-bounds access.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart