CVE-2026-31675
Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using this unconstrained value as an offset into skb->data results in an out-of-bounds memory access. Fix this by verifying skb_headlen(skb) is non-zero before attempting to corrupt the linear data area. Fully non-linear packets will silently bypass the corruption logic.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | fixed | 6.19.12-1 |
| debian | sid | fixed | 6.19.12-1 |
| debian | trixie | fixed | 6.12.85-1 |
| linux-kernel | affected | 6.6.134 | |
| linux-kernel | 7.0 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| gcp | | |
References
- https://git.kernel.org/stable/c/13a66ca1e235d4bcd53d12d4c68490cad7f8e46f
- https://git.kernel.org/stable/c/3a2999704ac36cfb4041fed3652d26a3373e8d12
- https://git.kernel.org/stable/c/4fd258e281fa8bc15e9ce2c7691941537e9258ad
- https://git.kernel.org/stable/c/a14b56863348686dd0387eea8ce66b85cf455908
- https://git.kernel.org/stable/c/d64cb81dcbd54927515a7f65e5e24affdc73c14b
- https://www.suse.com/security/cve/CVE-2026-31675.html
- https://security-tracker.debian.org/tracker/CVE-2026-31675
CWEs
CWE-125
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.