CVE-2026-31418
Analyzed Analyzed - Analysis Complete
Logic Error in Linux Kernel netfilter ipset Bucket Handling

Publication date: 2026-04-13

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: drop logically empty buckets in mtype_del mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots. Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-05-20
Generated
2026-05-27
AI Q&A
2026-04-13
EPSS Evaluated
2026-05-25
NVD
CVE-2026-31418
EUVD
EUVD-2026-21941
Affected Vendors & Products
Showing 20 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.6
linux linux_kernel 5.6
linux linux_kernel 5.6
linux linux_kernel 5.6
linux linux_kernel 5.6
linux linux_kernel From 5.5.8 (inc) to 5.6 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.6.1 (inc) to 5.10.253 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 5.4.24 (inc) to 5.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability in the Linux kernel's netfilter ipset component involves improper handling of logically empty buckets in the mtype_del function. It may cause the system to retain empty buckets longer than necessary, potentially leading to inefficient memory usage or resource management issues.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfilter ipset component, specifically in the function mtype_del(). The function is responsible for managing buckets of entries, but it incorrectly handles empty buckets. It only drops a bucket when both n->pos and k are zero, which causes it to miss buckets that have had all their live entries removed but where n->pos still points past deleted slots. The fix treats a bucket as empty when all positions below n->pos are unused and releases it directly instead of shrinking it further.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart