HIGH
netfilter IPv6Route OOB
CVE-2026-31674
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation so malformed rules are rejected before the match logic can use an out-of-range value.
02KernelScan AI Analysis
Risk summary
Unprivileged users with access to user namespaces, or administrators with CAP_NET_ADMIN, can trigger an out-of-bounds read by installing malformed IPv6 routing header match rules in netfilter. This can lead to leakage of adjacent kernel heap memory and likely system crashes on systems with IPv6 netfilter enabled.
Vulnerability analysis
The rt_mt6_check() function in the IPv6 routing header netfilter match module fails to validate that the addrnr field does not exceed IP6T_RT_HOPS before rule installation. When rt_mt6() later processes packets against the malformed rule, it uses the unchecked addrnr value to index into rtinfo->addrs[], resulting in an out-of-bounds read. The fix adds proper bounds checking during rule validation to reject oversized addrnr values before they can be used unsafely. On default kernels, the attack surface extends to unprivileged users who can create user namespaces and obtain CAP_NET_ADMIN, enabling rule installation without root privileges in the init namespace.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 13e3e30ed3b5 |
| 5.15 | 5.15.203 | af9b7e2b7659 |
| 6.1 | 6.1.168 | 29ea965a1353 |
| 6.12 | 6.12.80 | ded71f5684df |
| 6.18 | 6.18.21 | d8795fde1f78 |
| 6.19 | 6.19.11 | a28ebf6f99de |
| 6.6 | 6.6.131 | c6a503a9f4de |
| mainline | 7.0 | 9d3f027327c2 |