{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31682", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.130Z", "datePublished": "2026-04-25T08:46:59.106Z", "dateUpdated": "2026-04-27T14:05:02.173Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-27T14:05:02.173Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: linearize skb before parsing ND options\n\nbr_nd_send() parses neighbour discovery options from ns->opt[] and\nassumes that these options are in the linear part of request.\n\nIts callers only guarantee that the ICMPv6 header and target address\nare available, so the option area can still be non-linear. Parsing\nns->opt[] in that case can access data past the linear buffer.\n\nLinearize request before option parsing and derive ns from the linear\nnetwork header."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bridge/br_arp_nd_proxy.c"], "versions": [{"version": "ed842faeb2bd49256f00485402f3113205f91d30", "lessThan": "c68433fd291c9e88c00292095172c62d1997d662", "status": "affected", "versionType": "git"}, {"version": "ed842faeb2bd49256f00485402f3113205f91d30", "lessThan": "4f397b950c916e9a1f8a4fce04ea0110206cad47", "status": "affected", "versionType": "git"}, {"version": "ed842faeb2bd49256f00485402f3113205f91d30", "lessThan": "bd91ec85aa4c77d645bd2739fc56784157a88ca2", "status": "affected", "versionType": "git"}, {"version": "ed842faeb2bd49256f00485402f3113205f91d30", "lessThan": "658261898130da620fc3d0fbb0523efb3366cb55", "status": "affected", "versionType": "git"}, {"version": "ed842faeb2bd49256f00485402f3113205f91d30", "lessThan": "2ba4caba423ed94d63006eb1d2227b0332ab7fcd", "status": "affected", "versionType": "git"}, {"version": "ed842faeb2bd49256f00485402f3113205f91d30", "lessThan": "9c55e41c73af5c4511070933b1bd25248521270c", "status": "affected", "versionType": "git"}, {"version": "ed842faeb2bd49256f00485402f3113205f91d30", "lessThan": "3a30f6469b058574f49efde61cd6f5d79e576053", "status": "affected", "versionType": "git"}, {"version": "ed842faeb2bd49256f00485402f3113205f91d30", "lessThan": "a01aee7cafc575bb82f5529e8734e7052f9b16ea", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bridge/br_arp_nd_proxy.c"], "versions": [{"version": "4.15", "status": "affected"}, {"version": "0", "lessThan": "4.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.134", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.81", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.22", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.12", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.6.134"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.12.81"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.18.22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.19.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c68433fd291c9e88c00292095172c62d1997d662"}, {"url": "https://git.kernel.org/stable/c/4f397b950c916e9a1f8a4fce04ea0110206cad47"}, {"url": "https://git.kernel.org/stable/c/bd91ec85aa4c77d645bd2739fc56784157a88ca2"}, {"url": "https://git.kernel.org/stable/c/658261898130da620fc3d0fbb0523efb3366cb55"}, {"url": "https://git.kernel.org/stable/c/2ba4caba423ed94d63006eb1d2227b0332ab7fcd"}, {"url": "https://git.kernel.org/stable/c/9c55e41c73af5c4511070933b1bd25248521270c"}, {"url": "https://git.kernel.org/stable/c/3a30f6469b058574f49efde61cd6f5d79e576053"}, {"url": "https://git.kernel.org/stable/c/a01aee7cafc575bb82f5529e8734e7052f9b16ea"}], "title": "bridge: br_nd_send: linearize skb before parsing ND options", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: linearize skb before parsing ND options\n\nbr_nd_send() parses neighbour discovery options from ns->opt[] and\nassumes that these options are in the linear part of request.\n\nIts callers only guarantee that the ICMPv6 header and target address\nare available, so the option area can still be non-linear. Parsing\nns->opt[] in that case can access data past the linear buffer.\n\nLinearize request before option parsing and derive ns from the linear\nnetwork header."}], "id": "CVE-2026-31682", "lastModified": "2026-04-27T15:16:19.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-25T09:16:01.913", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2ba4caba423ed94d63006eb1d2227b0332ab7fcd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3a30f6469b058574f49efde61cd6f5d79e576053"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4f397b950c916e9a1f8a4fce04ea0110206cad47"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/658261898130da620fc3d0fbb0523efb3366cb55"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9c55e41c73af5c4511070933b1bd25248521270c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a01aee7cafc575bb82f5529e8734e7052f9b16ea"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bd91ec85aa4c77d645bd2739fc56784157a88ca2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c68433fd291c9e88c00292095172c62d1997d662"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: bridge: br_nd_send: linearize skb before parsing ND options", "id": "2461754", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461754"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-788", "details": ["A flaw was found in the Linux kernel's bridge component. This vulnerability occurs because the system does not properly prepare network packet data before processing Neighbor Discovery (ND) options. An attacker could exploit this by sending specially crafted network packets, causing the system to read sensitive information from unintended memory locations or crash the system, leading to a denial of service."], "name": "CVE-2026-31682", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31682\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31682\nhttps://lore.kernel.org/linux-cve-announce/2026042545-CVE-2026-31682-fe50@gregkh/T"], "threat_severity": "Moderate"}

{}