HIGH Published 2026-04-06

netfilter Conntrack OOB

CVE-2026-31407

CVSS 7.1 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

KernelScan AI6.1MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Local attackers with CAP_NET_ADMIN (obtainable via user namespaces by unprivileged users) can trigger out-of-bounds memory reads in netfilter conntrack by providing invalid SCTP state values or expectation direction values through netlink. This can lead to information disclosure from kernel memory (slab data) and system crashes (kernel panic).

Affectednet/netfilter/nf_conntrack_netlink.c, net/netfilter/nf_conntrack_proto_sctp.c (netfilter conntrack)

Vulnerability analysis

The vulnerability stems from missing input validation in netfilter's conntrack netlink interface. Two specific issues exist: (1) nlattr_to_sctp() directly assigns user-supplied CTA_PROTOINFO_SCTP_STATE values to ct->proto.sctp.state without range checking, and (2) expectation direction values can be set to arbitrary values like 100, causing ct->master->tuplehash[100] to read 5600 bytes past a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN. The fix adds proper netlink policy validation using NLA_POLICY_MAX macros to constrain SCTP state values and expectation direction. Because CAP_NET_ADMIN can be acquired within a user namespace on default kernels, unprivileged local users and untrusted container workloads can reach the vulnerable netlink interface.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.258	`e7b576669347`
5.15	5.15.209	`78bba9f73942`
6.1	6.1.175	`be88a337bf07`
6.12	6.12.83	`9174d28f3f15`
6.18	6.18.24	`67c53c1978ce`
6.19	6.19.10	`0fbae1e74493`
6.6	6.6.136	`c5e918390002`
mainline	7.0	`f900e1d77ee0`