CVE-2026-31414
Analyzed Analyzed - Analysis Complete
Use-After-Reference Vulnerability in Linux Kernel Netfilter nf_conntrack_expect

Publication date: 2026-04-13

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: use expect->helper Use expect->helper in ctnetlink and /proc to dump the helper name. Using nfct_help() without holding a reference to the master conntrack is unsafe. Use exp->master->helper in ctnetlink path if userspace does not provide an explicit helper when creating an expectation to retain the existing behaviour. The ctnetlink expectation path holds the reference on the master conntrack and nf_conntrack_expect lock and the nfnetlink glue path refers to the master ct that is attached to the skb.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-05-20
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31414
EUVD
EUVD-2026-21932
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 2.6.30 (inc) to 6.1.168 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel relates to the netfilter subsystem, specifically the nf_conntrack_expect component. The issue involves the unsafe use of nfct_help() without holding a reference to the master connection tracking (conntrack) object. The fix involves using the expect->helper in ctnetlink and /proc to properly dump the helper name and ensuring that the reference to the master conntrack is held when needed. This prevents unsafe behavior by using exp->master->helper in the ctnetlink path if userspace does not provide an explicit helper when creating an expectation.

Impact Analysis

The vulnerability could lead to unsafe operations within the Linux kernel's connection tracking system, potentially causing instability or unexpected behavior in network packet processing. This might affect firewall or network filtering functions that rely on netfilter's connection tracking, possibly leading to security risks or denial of service conditions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31414. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart