CRITICAL
media DVB ULE OOB
CVE-2026-31405
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.7HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be called as a function pointer. Add a bounds check on htype against the array size before either table is accessed. Out-of-range values now cause the SNDU to be discarded.
02KernelScan AI Analysis
Risk summary
Adjacent attackers can trigger out-of-bounds reads in DVB ULE extension header processing by broadcasting crafted DVB streams. The vulnerability allows reading an out-of-bounds function pointer and potentially executing arbitrary code through the corrupted function pointer. Systems with DVB hardware receiving broadcast streams are at risk.
Vulnerability analysis
The vulnerability occurs in handle_one_ule_extension() where the htype index (derived from broadcast-controlled ule_sndu_type & 0x00FF) can range 0-255, but the ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] arrays only have 255 elements (indices 0-254). When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be called as a function. The fix adds a bounds check against ARRAY_SIZE() before accessing either table, causing out-of-range values to be discarded. This is reachable through DVB broadcast streams without requiring authentication.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | e51238718217 |
| 5.15 | 5.15.203 | b2bd2ee73b69 |
| 6.1 | 6.1.167 | 29ef43ceb121 |
| 6.12 | 6.12.78 | 145e50c2c700 |
| 6.18 | 6.18.19 | 8bde543d2a5f |
| 6.19 | 6.19.9 | f2b65dcb78c8 |
| 6.6 | 6.6.130 | 1a6da3dbb998 |
| mainline | 7.0 | 24d87712727a |