CVE-2026-31418
Analyzed Analyzed - Analysis Complete

Logic Error in Linux Kernel netfilter ipset Bucket Handling

Vulnerability report for CVE-2026-31418, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-13

Last updated on: 2026-05-20

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: drop logically empty buckets in mtype_del mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots. Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-13
Last Modified
2026-05-20
Generated
2026-07-06
AI Q&A
2026-04-13
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 20 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.6
linux linux_kernel 5.6
linux linux_kernel 5.6
linux linux_kernel 5.6
linux linux_kernel 5.6
linux linux_kernel From 5.5.8 (inc) to 5.6 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.6.1 (inc) to 5.10.253 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 5.4.24 (inc) to 5.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter ipset component, specifically in the function mtype_del(). The function is responsible for managing buckets of entries, but it incorrectly handles empty buckets. It only drops a bucket when both n->pos and k are zero, which causes it to miss buckets that have had all their live entries removed but where n->pos still points past deleted slots. The fix treats a bucket as empty when all positions below n->pos are unused and releases it directly instead of shrinking it further.

Impact Analysis

This vulnerability in the Linux kernel's netfilter ipset component involves improper handling of logically empty buckets in the mtype_del function. It may cause the system to retain empty buckets longer than necessary, potentially leading to inefficient memory usage or resource management issues.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31418. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart