HIGH
tipc Group Broadcast Counter Underflow
CVE-2026-31662
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI7.5HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements bc_ackers on every inbound group ACK, even when the same member has already acknowledged the current broadcast round. Because bc_ackers is a u16, a duplicate ACK received after the last legitimate ACK wraps the counter to 65535. Once wrapped, tipc_group_bc_cong() keeps reporting congestion and later group broadcasts on the affected socket stay blocked until the group is recreated. Fix this by ignoring duplicate or stale ACKs before touching bc_acked or bc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and prevents the underflow path.
02KernelScan AI Analysis
Risk summary
A network attacker can send duplicate acknowledgment messages to cause integer underflow in TIPC group broadcast counters, permanently blocking broadcast functionality on affected sockets until groups are recreated. This creates a denial of service condition for TIPC group communication.
Vulnerability analysis
Summary: Integer underflow in TIPC group broadcast acknowledgment counter leading to denial of service
Root Cause: The tipc_group_proto_rcv() function decrements the bc_ackers counter (u16) on every GRP_ACK_MSG without checking if the acknowledgment is duplicate or stale. When a duplicate ACK is received after the counter reaches 0, it underflows to 65535, causing tipc_group_bc_cong() to permanently report congestion.
Attack Mechanism: An attacker can send duplicate GRP_ACK_MSG packets to trigger the underflow condition. Once underflowed, the affected socket becomes unable to send group broadcasts until the group is recreated, effectively creating a denial of service condition.
Attack Surface: Network-accessible through TIPC protocol. Requires ability to send TIPC group messages to trigger the vulnerability. The attack affects group broadcast functionality specifically.
Fix Mechanism: The patch adds validation to ignore duplicate or stale ACKs by checking if the received acknowledgment number is less than or equal to the already recorded acknowledgment (less_eq(acked, m->bc_acked)). This makes the ACK handling idempotent and prevents the underflow.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | a7db57ccca21 |
| 5.15 | 5.15.203 | 36ec4fdd6250 |
| 6.1 | 6.1.169 | 575faea557f1 |
| 6.12 | 6.12.82 | a2ea1ef0167d |
| 6.18 | 6.18.23 | 1b6f13f62666 |
| 6.19 | 6.19.13 | e0bb732eaf77 |
| 6.6 | 6.6.135 | 3bcf7aca63f0 |
| mainline | 7.0 | 48a5fe38772b |