CVE-2026-31684

MEDIUM

net: sched: act_csum: validate nested VLAN headers

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: net: sched: act_csum: validate nested VLAN headers tcf_csum_act() walks nested VLAN headers directly from skb->data when an skb still carries in-payload VLAN tags. The current code reads vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without first ensuring that the full VLAN header is present in the linear area. If only part of an inner VLAN header is linearized, accessing h_vlan_encapsulated_proto reads past the linear area, and the following skb_pull(VLAN_HLEN) may violate skb invariants. Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and pulling each nested VLAN header. If the header still is not fully available, drop the packet through the existing error path.

Scores

CVSS v3 5.5
EPSS 0.0012
EPSS Percentile 1.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

Status published
Products (29)
linux/Kernel 5.1.0 - 5.10.258linux
linux/Kernel 5.11.0 - 5.15.209linux
linux/Kernel 5.16.0 - 6.1.175linux
linux/Kernel 6.13.0 - 6.18.24linux
linux/Kernel 6.19.0 - 6.19.14linux
linux/Kernel 6.2.0 - 6.6.136linux
linux/Kernel 6.7.0 - 6.12.83linux
Linux/Linux < 5.1
Linux/Linux 2ecba2d1e45b24620a7c3df9531895cf68d5dec6 - 0410c619e86551677fb79887a38eccad3f5a0725
Linux/Linux 2ecba2d1e45b24620a7c3df9531895cf68d5dec6 - 3d165d975305cf76ff0b10a3c798fb31e5f5f9a5
... and 19 more
Published Apr 25, 2026
Tracked Since Apr 25, 2026