Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-31684— net: sched: act_csum: validate nested VLAN headers

EPSS 0.01% · P2
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-31684

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
net: sched: act_csum: validate nested VLAN headers
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net: sched: act_csum: validate nested VLAN headers tcf_csum_act() walks nested VLAN headers directly from skb->data when an skb still carries in-payload VLAN tags. The current code reads vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without first ensuring that the full VLAN header is present in the linear area. If only part of an inner VLAN header is linearized, accessing h_vlan_encapsulated_proto reads past the linear area, and the following skb_pull(VLAN_HLEN) may violate skb invariants. Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and pulling each nested VLAN header. If the header still is not fully available, drop the packet through the existing error path.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于act_csum中嵌套VLAN标头未确保线性存在,可能导致读取线性区域外数据及skb_pull违反不变量。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 2ecba2d1e45b24620a7c3df9531895cf68d5dec6 ~ eb3765b90eb8f2a3d6310a80c14a9e57ec4267a2 -
LinuxLinux 5.1 -

II. Public POCs for CVE-2026-31684

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-31684

登录查看更多情报信息。

Same Patch Batch · Linux · 2026-04-25 · 13 CVEs total

CVE-2026-316859.4 CRITICALnetfilter: ip6t_eui64: reject invalid MAC header for all packets
CVE-2026-316829.1 CRITICALbridge: br_nd_send: linearize skb before parsing ND options
CVE-2026-316837.8 HIGHbatman-adv: avoid OGM aggregation when skb tailroom is insufficient
CVE-2026-316807.8 HIGHnet: ipv6: flowlabel: defer exclusive option free until RCU teardown
CVE-2026-316787.8 HIGHopenvswitch: defer tunnel netdev_put to RCU release
CVE-2026-316757.8 HIGHnet/sched: sch_netem: fix out-of-bounds access in packet corruption
CVE-2026-316737.8 HIGHaf_unix: read UNIX_DIAG_VFS data under unix_state_lock
CVE-2026-316767.5 HIGHrxrpc: only handle RESPONSE during service challenge
CVE-2026-316797.1 HIGHopenvswitch: validate MPLS set/set_masked payload length
CVE-2026-316747.1 HIGHnetfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
CVE-2026-31681netfilter: xt_multiport: validate range encoding in checkentry
CVE-2026-31677crypto: af_alg - limit RX SG extraction by receive buffer budget

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-31684

No comments yet

Leave a comment