CVE-2026-31675
Out-of-Bounds Access in Linux Kernel netem Packet Corruption
Publication date: 2026-04-25
Last updated on: 2026-04-27
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's network scheduler, specifically in the netem module responsible for packet corruption simulation.
The issue occurs in the function netem_enqueue(), where the code uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying packet data (skb->data).
When packets are fully non-linear and sent over an IPIP tunnel using AF_PACKET TX_RING, skb_headlen(skb) returns 0.
Passing 0 to get_random_u32_below() triggers a slow path that returns an unconstrained 32-bit random integer, which is then used as an offset into skb->data, causing an out-of-bounds memory access.
The fix involves checking that skb_headlen(skb) is non-zero before attempting to corrupt the linear data area, so fully non-linear packets bypass the corruption logic safely.
How can this vulnerability impact me? :
This vulnerability can lead to out-of-bounds memory access in the Linux kernel's network stack.
Such memory access issues can cause system instability, crashes, or potentially allow attackers to execute arbitrary code or cause denial of service.
The impact depends on whether the affected system processes fully non-linear packets over IPIP tunnels using AF_PACKET TX_RING.