CVE-2026-31685
Received Received - Intake
Use-After-Free in Linux netfilter ip6t_eui64 Allows Invalid MAC Access

Publication date: 2026-04-25

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address. The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid. Fix this by removing the `par->fragoff != 0` condition so that packets with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-25
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-04-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31685
Affected Vendors & Products
Showing 16 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.24 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.14 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.83 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 6.6.136 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter component, specifically in the ip6t_eui64 module. The function eui64_mt6() derives a modified EUI-64 identifier from the Ethernet source address and compares it with the lower 64 bits of the IPv6 source address.

The issue is that the existing check only rejects packets with an invalid MAC header if the packet's fragment offset (par->fragoff) is not zero. For packets where par->fragoff is zero, the function can still access the Ethernet header even if it is invalid, which can lead to improper handling of such packets.

The fix removes the condition that restricts the check to only fragmented packets, ensuring that all packets with invalid MAC headers are rejected before accessing the Ethernet header.

Impact Analysis

This vulnerability can lead to improper processing of network packets with invalid MAC headers in the Linux kernel. Specifically, it allows packets with invalid MAC headers and zero fragment offset to bypass validation checks.

Such improper handling could potentially be exploited to cause unexpected behavior in the kernel's network stack, which might lead to denial of service or other security issues depending on how the kernel processes these malformed packets.

Mitigation Strategies

The vulnerability has been resolved by updating the Linux kernel to reject invalid MAC headers for all packets in the netfilter ip6t_eui64 module.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31685. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart