HIGH
net/x25 Fraglen Overflow
CVE-2026-31417
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI7.5HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix overflow when accumulating packets Add a check to ensure that `x25_sock.fraglen` does not overflow. The `fraglen` also needs to be resetted when purging `fragment_queue` in `x25_clear_queues()`.
02KernelScan AI Analysis
Risk summary
Remote attackers can send crafted fragmented X.25 packets to cause an integer overflow in fragment length tracking. Because the reassembly path relies on this length for buffer allocation, the mismatch triggers a kernel panic (e.g., via skb_over_panic). Systems with active X.25 interfaces, commonly found in industrial or legacy telecom environments, are at risk.
Vulnerability analysis
The vulnerability occurs in X.25 packet fragment handling where the fraglen field accumulates packet lengths without bounds checking. An attacker can send specially crafted fragmented packets that cause fraglen to overflow beyond USHRT_MAX. Because the reassembly path allocates a buffer based on this field and then copies the full fragment queue into it, the size mismatch triggers a kernel panic before actual memory corruption can occur. The fix adds an overflow validation before accumulation and ensures fraglen is reset when clearing fragment queues so that stale values cannot be reused across connections.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 96fc16370b0b |
| 5.15 | 5.15.203 | 798d613afb64 |
| 6.1 | 6.1.168 | 6e568835ea54 |
| 6.12 | 6.12.81 | 4e2d1bcef78d |
| 6.18 | 6.18.22 | 8c92969c197b |
| 6.19 | 6.19.12 | f953f11ccf4a |
| 6.6 | 6.6.134 | 1734bd85c5e0 |
| mainline | 7.0 | a1822cb524e8 |