CVE-2026-31405
Analyzed Analyzed - Analysis Complete
Out-of-Bounds Read in Linux DVB-NET ULE Extension Header

Publication date: 2026-04-06

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be called as a function pointer. Add a bounds check on htype against the array size before either table is accessed. Out-of-range values now cause the SNDU to be discarded.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-05-20
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31405
EUVD
EUVD-2026-19199
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.19 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's media subsystem, specifically in the dvb-net component. It involves an out-of-bounds (OOB) access in the ULE extension header tables used in the function handle_one_ule_extension().

Two tables, ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[], are declared with 255 elements indexed from 0 to 254. However, the index htype is derived from network-controlled data and can have a value from 0 to 255. When htype equals 255, it causes an out-of-bounds read on these tables, potentially leading to the OOB value being called as a function pointer.

The fix involves adding a bounds check on htype before accessing the tables. If htype is out of range, the SNDU (Subnetwork Data Unit) is discarded to prevent the OOB access.

Impact Analysis

This vulnerability can lead to an out-of-bounds read and potentially the execution of unintended function pointers. This may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code within the kernel context.

Since the vulnerability is triggered by network-controlled data, a remote attacker could exploit this by sending specially crafted network packets to the affected system.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the issue has been fixed. The fix involves adding a bounds check on the htype index before accessing the extension header tables, preventing out-of-bounds access.

Until the update is applied, avoid processing untrusted or malformed ULE packets that could trigger the out-of-bounds access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31405. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart