CVE-2026-31414
Analyzed Analyzed - Analysis Complete

Use-After-Reference Vulnerability in Linux Kernel Netfilter nf_conntrack_expect

Vulnerability report for CVE-2026-31414, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-13

Last updated on: 2026-05-20

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: use expect->helper Use expect->helper in ctnetlink and /proc to dump the helper name. Using nfct_help() without holding a reference to the master conntrack is unsafe. Use exp->master->helper in ctnetlink path if userspace does not provide an explicit helper when creating an expectation to retain the existing behaviour. The ctnetlink expectation path holds the reference on the master conntrack and nf_conntrack_expect lock and the nfnetlink glue path refers to the master ct that is attached to the skb.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-13
Last Modified
2026-05-20
Generated
2026-07-06
AI Q&A
2026-04-13
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 2.6.30 (inc) to 6.1.168 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel relates to the netfilter subsystem, specifically the nf_conntrack_expect component. The issue involves the unsafe use of nfct_help() without holding a reference to the master connection tracking (conntrack) object. The fix involves using the expect->helper in ctnetlink and /proc to properly dump the helper name and ensuring that the reference to the master conntrack is held when needed. This prevents unsafe behavior by using exp->master->helper in the ctnetlink path if userspace does not provide an explicit helper when creating an expectation.

Impact Analysis

The vulnerability could lead to unsafe operations within the Linux kernel's connection tracking system, potentially causing instability or unexpected behavior in network packet processing. This might affect firewall or network filtering functions that rely on netfilter's connection tracking, possibly leading to security risks or denial of service conditions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31414. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart