Strix
26.1K

CVE-2026-31682

CRITICALCVSS 9.1/10EPSS 0.42%

Last modified

CVE-2026-31682 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns from the linear network header.. EPSS estimates a 0.42% chance of exploitation in the next 30 days.

Description

In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns from the linear network header.

Metrics

CVSS 3.1
9.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Probability
0.42%

33.8th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersionsUpdate
LinuxLinux Kernel>= 4.15, < 5.10.253
LinuxLinux Kernel>= 5.11, < 5.15.203
LinuxLinux Kernel>= 5.16, < 6.1.168
LinuxLinux Kernel>= 6.2, < 6.6.134
LinuxLinux Kernel>= 6.7, < 6.12.81
LinuxLinux Kernel>= 6.13, < 6.18.22
LinuxLinux Kernel>= 6.19, < 6.19.12
LinuxLinux Kernel7.0Rc1

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-31682?
In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns from the linear network header.
How severe is CVE-2026-31682?
CVE-2026-31682 has a CVSS score of 9.1/10 (CRITICAL severity). The EPSS model estimates a 0.42% probability of exploitation in the next 30 days.
How do I fix CVE-2026-31682?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-31682?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST