CVE-2026-31684

Advisory lineage Upstream: 0 Downstream: 6

Downstream

DEBIAN-CVE-2026-31684 RHSA-2026:21556 RHSA-2026:21557 RHSA-2026:21706 RHSA-2026:21745 UBUNTU-CVE-2026-31684

Modified

Published: 25 Apr 2026, 08:47

Last modified:01 Jun 2026, 16:13

Vulnerability Summary

Overall Risk (default)

low

22/100

CVSS Score

5.5 MEDIUM

v3.1 (nvd)

EPSS Score

0.01% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

25 Apr 2026, 08:47

Published

Vulnerability first disclosed

01 Jun 2026, 16:13

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: net: sched: act_csum: validate nested VLAN headers tcf_csum_act() walks nested VLAN headers directly from skb->data when an skb still carries in-payload VLAN tags. The current code reads vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without first ensuring that the full VLAN header is present in the linear area. If only part of an inner VLAN header is linearized, accessing h_vlan_encapsulated_proto reads past the linear area, and the following skb_pull(VLAN_HLEN) may violate skb invariants. Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and pulling each nested VLAN header. If the header still is not fully available, drop the packet through the existing error path.

CVSS Metrics

v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.01%• Percentile: 3%

Affected Systems

linux•linux
≥ 2ecba2d1e45b24620a7c3df9531895cf68d5dec6, < 0410c619e86551677fb79887a38eccad3f5a0725 | ≥ 2ecba2d1e45b24620a7c3df9531895cf68d5dec6, < 886469b6455611a511aa6013e957e15e50577513 | ≥ 2ecba2d1e45b24620a7c3df9531895cf68d5dec6, < 46c07ad50fa2f4ba7663ee1b72b75ad7ad45cf09 | ≥ 2ecba2d1e45b24620a7c3df9531895cf68d5dec6, < eb3765b90eb8f2a3d6310a80c14a9e57ec4267a2 | ≥ 2ecba2d1e45b24620a7c3df9531895cf68d5dec6, < a69738efea0996d05a3c7d2178551b891744df1b | ≥ 2ecba2d1e45b24620a7c3df9531895cf68d5dec6, < ec4930979b3f7bbeb7af5744599fc6603a4dba62 | ≥ 2ecba2d1e45b24620a7c3df9531895cf68d5dec6, < 3d165d975305cf76ff0b10a3c798fb31e5f5f9a5 | ≥ 2ecba2d1e45b24620a7c3df9531895cf68d5dec6, < c842743d073bdd683606cb414eb0ca84465dd834 | 3764bfae5056e95617b6ee074129297e11710886 | ≥ 4.19.99, < 4.20 | 5.1
linux•linux_kernel
≥ 4.19.99, < 4.20 | ≥ 5.1, < 6.6.136 | ≥ 6.7, < 6.12.83 | ≥ 6.13, < 6.18.24 | ≥ 6.19, < 6.19.14 | 7.0:rc1 | 7.0:rc2 | 7.0:rc3 | 7.0:rc4 | 7.0:rc5 | 7.0:rc6 | 7.0:rc7