CVE-2026-31675
Received Received - Intake
Out-of-Bounds Access in Linux Kernel netem Packet Corruption

Publication date: 2026-04-25

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using this unconstrained value as an offset into skb->data results in an out-of-bounds memory access. Fix this by verifying skb_headlen(skb) is non-zero before attempting to corrupt the linear data area. Fully non-linear packets will silently bypass the corruption logic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-25
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-04-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31675
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 2.6.16 (inc) to 6.6.134 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's network scheduler, specifically in the netem module responsible for packet corruption simulation.

The issue occurs in the function netem_enqueue(), where the code uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying packet data (skb->data).

When packets are fully non-linear and sent over an IPIP tunnel using AF_PACKET TX_RING, skb_headlen(skb) returns 0.

Passing 0 to get_random_u32_below() triggers a slow path that returns an unconstrained 32-bit random integer, which is then used as an offset into skb->data, causing an out-of-bounds memory access.

The fix involves checking that skb_headlen(skb) is non-zero before attempting to corrupt the linear data area, so fully non-linear packets bypass the corruption logic safely.

Impact Analysis

This vulnerability can lead to out-of-bounds memory access in the Linux kernel's network stack.

Such memory access issues can cause system instability, crashes, or potentially allow attackers to execute arbitrary code or cause denial of service.

The impact depends on whether the affected system processes fully non-linear packets over IPIP tunnels using AF_PACKET TX_RING.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31675. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart