CVE-2026-31411
Analyzed Analyzed - Analysis Complete
Use-After-Free Vulnerability in Linux ATM sigd_send() Causes Crash

Publication date: 2026-04-08

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &iov, ... }; *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values. Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found. Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used. Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety. [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-05-20
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31411
EUVD
EUVD-2026-20469
Affected Vendors & Products
Showing 18 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel From 6.13 (inc) to 6.18.14 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.4 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.128 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.75 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.202 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.165 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 5.10.252 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed by validating the vcc pointer in the Linux kernel's ATM send path to prevent crashes caused by unvalidated pointers.

Immediate mitigation steps include updating the Linux kernel to a version that includes the fix which introduces the find_get_vcc() function. This function validates the vcc pointer by searching through vcc_hash and acquiring a reference if found, preventing arbitrary pointer dereferencing.

Executive Summary

This vulnerability exists in the Linux kernel's ATM networking code, specifically in the function sigd_send(). The function reads a vcc pointer from a message structure without validating it. This pointer originates from userspace via the sendmsg() system call and can be forged by a malicious user.

Because the kernel uses this unvalidated pointer directly, an attacker can supply an arbitrary pointer value, causing the kernel to dereference invalid memory. This can lead to a crash or other unintended behavior.

The vulnerability arises because the ATM signaling daemon is expected to return the same vcc pointer it received, but a malicious daemon can send arbitrary pointers. The fix involves validating the pointer by searching through a hash of valid vccs and acquiring a reference to ensure the pointer is legitimate before use.

Impact Analysis

This vulnerability can cause the Linux kernel to crash due to dereferencing an invalid pointer supplied by a malicious user or daemon. Such crashes can lead to denial of service (DoS) conditions, affecting system availability.

Additionally, if exploited in a more sophisticated manner, it could potentially lead to memory corruption or other undefined behavior, which might be leveraged for privilege escalation or other attacks, although the description primarily highlights crash risks.

Detection Guidance

This vulnerability involves the Linux kernel ATM subsystem where an unvalidated vcc pointer from userspace can cause a crash. Detection would involve monitoring for abnormal crashes or kernel messages related to ATM signaling daemon operations, especially those involving sendmsg calls on AF_ATMSVC sockets.

Since the vulnerability is triggered by sending a forged vcc pointer via sendmsg on an AF_ATMSVC socket, one way to detect attempts is to monitor or audit usage of such sockets and ioctl calls related to ATMSIGD_CTRL.

No specific detection commands are provided in the context or resources, but a possible approach is to use system tracing or auditing tools to watch for suspicious sendmsg calls on AF_ATMSVC sockets or unexpected ioctl calls.

  • Use strace or auditd to monitor sendmsg calls on AF_ATMSVC sockets.
  • Check kernel logs (dmesg) for crashes or oops messages related to atm or sigd_send.
  • Use commands like: sudo strace -e trace=sendmsg -p <pid_of_atm_signaling_daemon>
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31411. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart