Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-31675— net/sched: sch_netem: fix out-of-bounds access in packet corruption

CVSS 7.8 · High EPSS 0.01% · P2
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-31675

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
net/sched: sch_netem: fix out-of-bounds access in packet corruption
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using this unconstrained value as an offset into skb->data results in an out-of-bounds memory access. Fix this by verifying skb_headlen(skb) is non-zero before attempting to corrupt the linear data area. Fully non-linear packets will silently bypass the corruption logic.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于sch_netem中数据包损坏逻辑在skb_headlen为零时使用未约束随机值,可能导致越界内存访问。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux c865e5d99e25a171e8262fc0f7ba608568633c64 ~ a14b56863348686dd0387eea8ce66b85cf455908 -
LinuxLinux 2.6.16 -

II. Public POCs for CVE-2026-31675

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-31675

登录查看更多情报信息。

Same Patch Batch · Linux · 2026-04-25 · 13 CVEs total

CVE-2026-316859.4 CRITICALnetfilter: ip6t_eui64: reject invalid MAC header for all packets
CVE-2026-316829.1 CRITICALbridge: br_nd_send: linearize skb before parsing ND options
CVE-2026-316837.8 HIGHbatman-adv: avoid OGM aggregation when skb tailroom is insufficient
CVE-2026-316807.8 HIGHnet: ipv6: flowlabel: defer exclusive option free until RCU teardown
CVE-2026-316787.8 HIGHopenvswitch: defer tunnel netdev_put to RCU release
CVE-2026-316737.8 HIGHaf_unix: read UNIX_DIAG_VFS data under unix_state_lock
CVE-2026-316767.5 HIGHrxrpc: only handle RESPONSE during service challenge
CVE-2026-316797.1 HIGHopenvswitch: validate MPLS set/set_masked payload length
CVE-2026-316747.1 HIGHnetfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
CVE-2026-31684net: sched: act_csum: validate nested VLAN headers
CVE-2026-31681netfilter: xt_multiport: validate range encoding in checkentry
CVE-2026-31677crypto: af_alg - limit RX SG extraction by receive buffer budget

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-31675

No comments yet

Leave a comment