{"id":"CVE-2026-31684","summary":"net: sched: act_csum: validate nested VLAN headers","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_csum: validate nested VLAN headers\n\ntcf_csum_act() walks nested VLAN headers directly from skb-\u003edata when an\nskb still carries in-payload VLAN tags. The current code reads\nvlan-\u003eh_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without\nfirst ensuring that the full VLAN header is present in the linear area.\n\nIf only part of an inner VLAN header is linearized, accessing\nh_vlan_encapsulated_proto reads past the linear area, and the following\nskb_pull(VLAN_HLEN) may violate skb invariants.\n\nFix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and\npulling each nested VLAN header. If the header still is not fully\navailable, drop the packet through the existing error path.","modified":"2026-04-26T04:22:21.560178Z","published":"2026-04-25T08:47:01.555Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31684.json","cna_assigner":"Linux"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3d165d975305cf76ff0b10a3c798fb31e5f5f9a5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a69738efea0996d05a3c7d2178551b891744df1b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c842743d073bdd683606cb414eb0ca84465dd834"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ec4930979b3f7bbeb7af5744599fc6603a4dba62"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31684.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31684"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2ecba2d1e45b24620a7c3df9531895cf68d5dec6"},{"fixed":"a69738efea0996d05a3c7d2178551b891744df1b"},{"fixed":"ec4930979b3f7bbeb7af5744599fc6603a4dba62"},{"fixed":"3d165d975305cf76ff0b10a3c798fb31e5f5f9a5"},{"fixed":"c842743d073bdd683606cb414eb0ca84465dd834"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"3764bfae5056e95617b6ee074129297e11710886"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31684.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.1.0"},{"fixed":"6.12.83"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.24"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.14"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31684.json"}}],"schema_version":"1.7.5"}