CVE-2026-31674
Out-of-Bounds Access in Linux netfilter ip6t_rt Match Rules
Publication date: 2026-04-25
Last updated on: 2026-04-27
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's netfilter component, specifically in the ip6t_rt module. The issue involves the handling of the addrnr value in the rt_mt6_check() function. The vulnerability arises because the code did not properly reject rules where addrnr exceeds the maximum allowed value (IP6T_RT_HOPS). Since rt_mt6() expects addrnr to be within the bounds of the rtinfo->addrs[] array, an out-of-range addrnr could cause unexpected behavior. The fix involves validating addrnr during rule installation to reject malformed rules before they can be used in matching logic.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow malformed netfilter rules with out-of-range addrnr values to be installed. This might lead to unexpected behavior in the kernel's packet filtering logic, potentially causing crashes, denial of service, or other unpredictable effects depending on how the out-of-bounds access is handled.