CVE-2026-31679
Received Received - Intake
Improper Payload Validation in Linux Open vSwitch MPLS Actions

Publication date: 2026-04-25

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: openvswitch: validate MPLS set/set_masked payload length validate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for SET/SET_MASKED actions. In action handling, OVS expects fixed-size MPLS key data (struct ovs_key_mpls). Use the already normalized key_len (masked case included) and reject non-matching MPLS action key sizes. Reject invalid MPLS action payload lengths early.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-25
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-04-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31679
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
linux linux_kernel From 5.5 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's openvswitch component, specifically in how it validates MPLS (Multiprotocol Label Switching) set and set_masked payload lengths.

The function validate_set() incorrectly accepted OVS_KEY_ATTR_MPLS as a variable-sized payload for SET and SET_MASKED actions, while the openvswitch expects a fixed-size MPLS key data structure (struct ovs_key_mpls).

This mismatch could allow invalid MPLS action payload lengths to be processed, potentially leading to unexpected behavior.

The fix involves using the already normalized key length (including masked cases) and rejecting any MPLS action key sizes that do not match the expected fixed size, thereby rejecting invalid MPLS action payload lengths early.

Impact Analysis

This vulnerability involves improper validation of MPLS payload lengths in the openvswitch component of the Linux kernel. Specifically, the validate_set() function accepted variable-sized MPLS payloads where fixed-size data was expected, potentially allowing invalid MPLS action payloads to be processed.

The impact could include unexpected behavior or errors in network packet processing within openvswitch, which might lead to instability or incorrect handling of network traffic.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31679. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart