{"id":"CVE-2026-31495","summary":"netfilter: ctnetlink: use netlink policy range checks","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: use netlink policy range checks\n\nReplace manual range and mask validations with netlink policy\nannotations in ctnetlink code paths, so that the netlink core rejects\ninvalid values early and can generate extack errors.\n\n- CTA_PROTOINFO_TCP_STATE: reject values \u003e TCP_CONNTRACK_SYN_SENT2 at\n  policy level, removing the manual \u003e= TCP_CONNTRACK_MAX check.\n- CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values \u003e TCP_MAX_WSCALE\n  (14). The normal TCP option parsing path already clamps to this value,\n  but the ctnetlink path accepted 0-255, causing undefined behavior when\n  used as a u32 shift count.\n- CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with\n  CTA_FILTER_F_ALL, removing the manual mask checks.\n- CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding\n  a new mask define grouping all valid expect flags.\n\nExtracted from a broader nf-next patch by Florian Westphal, scoped to\nctnetlink for the fixes tree.","modified":"2026-07-04T18:29:20.748502136Z","published":"2026-04-22T13:54:17.591Z","related":["SUSE-SU-2026:22433-1","SUSE-SU-2026:22436-1","SUSE-SU-2026:22458-1","SUSE-SU-2026:22460-1","SUSE-SU-2026:2722-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31495.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2ef71307c86a9f866d6e28f1a0c06e2e9d794474"},{"type":"WEB","url":"https://git.kernel.org/stable/c/435b576cd2faa75154777868f8cbb73bf71644d3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/45c33e79ae705b7af97e3117672b6cd258dd0b1b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4f7d25f3f0786402ba48ff7d13b6241d77d975f5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/675c913b940488a84effdeeac5a1cfb657b59804"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8f15b5071b4548b0aafc03b366eb45c9c6566704"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c6cb41eaae875501eaaa487b8db6539feb092292"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fcec5ce2d73a41668b24e3f18c803541602a59f6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31495.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31495"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4"},{"fixed":"435b576cd2faa75154777868f8cbb73bf71644d3"},{"fixed":"2ef71307c86a9f866d6e28f1a0c06e2e9d794474"},{"fixed":"4f7d25f3f0786402ba48ff7d13b6241d77d975f5"},{"fixed":"fcec5ce2d73a41668b24e3f18c803541602a59f6"},{"fixed":"675c913b940488a84effdeeac5a1cfb657b59804"},{"fixed":"c6cb41eaae875501eaaa487b8db6539feb092292"},{"fixed":"45c33e79ae705b7af97e3117672b6cd258dd0b1b"},{"fixed":"8f15b5071b4548b0aafc03b366eb45c9c6566704"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31495.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.22"},{"fixed":"5.10.253"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.203"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.168"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.131"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.80"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.21"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31495.json"}}],"schema_version":"1.7.5"}