CVE-2026-31415

MEDIUMNVD 5.55.5—

5.5

In the Linux kernel, the following vulnerability has been resolved:

ipv6: avoid overflows in ip6_datagram_send_ctl()

Yiming Qian reported :

I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via skb_under_panic() (local DoS).

The core issue is a mismatch between:

a 16-bit length accumulator (struct ipv6_txoptions::opt_flen, type

__u16) and

a pointer to the *last* provided destination-options header (opt->dst1opt)

when multiple IPV6_DSTOPTS control messages (cmsgs) are provided.

include/net/ipv6.h:
struct ipv6_txoptions::opt_flen is __u16 (wrap possible).

(lines 291-307, especially 298)

net/ipv6/datagram.c:ip6_datagram_send_ctl():
Accepts repeated IPV6_DSTOPTS and accumulates into opt_flen

without rejecting duplicates. (lines 909-933)

net/ipv6/ip6_output.c:__ip6_append_data():
Uses opt->opt_flen + opt->opt_nflen to compute header

sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)

net/ipv6/ip6_output.c:__ip6_make_skb():
Calls ipv6_push_frag_opts() if opt->opt_flen is non-zero.

(lines 1930-1934)

net/ipv6/exthdrs.c:ipv6_push_frag_opts() / ipv6_push_exthdr():
Push size comes from ipv6_optlen(opt->dst1opt) (based on the

pointed-to header). (lines 1179-1185 and 1206-1211)

opt_flen is a 16-bit accumulator:
include/net/ipv6.h:298 defines __u16 opt_flen; /* after fragment hdr */.
ip6_datagram_send_ctl() accepts *repeated* IPV6_DSTOPTS cmsgs

and increments opt_flen each time:

In net/ipv6/datagram.c:909-933, for IPV6_DSTOPTS:
It computes len = ((hdr->hdrlen + 1) << 3);
It checks CAP_NET_RAW using ns_capable(net->user_ns,


 CAP_NET_RAW)

. (line 922)

Then it does:
opt->opt_flen += len; (line 927)
opt->dst1opt = hdr; (line 928)

There is no duplicate rejection here (unlike the legacy IPV6_2292DSTOPTS path which rejects duplicates at net/ipv6/datagram.c:901-904).

If enough large IPV6_DSTOPTS cmsgs are provided, opt_flen wraps while dst1opt still points to a large (2048-byte) destination-options header.

In the attached PoC (poc.c):

32 cmsgs with hdrlen=255 => len = (255+1)*8 = 2048
1 cmsg with hdrlen=0 => len = 8
Total increment: 32*2048 + 8 = 65544, so (__u16)opt_flen == 8
The last cmsg is 2048 bytes, so dst1opt points to a 2048-byte header.
The transmit path sizes headers using the wrapped opt_flen:
In net/ipv6/ip6_output.c:1463-1465:
headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen +


 opt->opt_nflen : 0) + ...;

With wrapped opt_flen, headersize/headroom decisions underestimate what will be pushed later.

When building the final skb, the actual push length comes from

dst1opt and is not limited by wrapped opt_flen:

In net/ipv6/ip6_output.c:1930-1934:
if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);
In net/ipv6/exthdrs.c:1206-1211, ipv6_push_frag_opts() pushes

dst1opt via ipv6_push_exthdr().

In net/ipv6/exthdrs.c:1179-1184, ipv6_push_exthdr() does:
skb_push(skb, ipv6_optlen(opt));
memcpy(h, opt, ipv6_optlen(opt));

With insufficient headroom, skb_push() underflows and triggers skb_under_panic() -> BUG():

net/core/skbuff.c:2669-2675 (skb_push() calls skb_under_panic())
net/core/skbuff.c:207-214 (skb_panic() ends in BUG())
The IPV6_DSTOPTS cmsg path requires CAP_NET_RAW in the target

netns user namespace (ns_capable(net->user_ns, CAP_NET_RAW)).

Root (or any task with CAP_NET_RAW) can trigger this without user

namespaces.

An unprivileged uid=1000 user can trigger this if unprivileged

user namespaces are enabled and it can create a userns+netns to obtain namespaced CAP_NET_RAW (the attached PoC does this).

Local denial of service: kernel BUG/panic (system crash).
---truncated---

CVSS v3: 5.5
EG Score: 5.5(medium)
EPSS: 3.4%
KEV: Not listed

Published

April 13, 2026

Last Modified

May 20, 2026

References (8)

416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2dbfb003bbf3fc0e94f07efefab0ebcf83029a2a
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4082f9984a694829153115d28c956a3534f52f29
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4e453375561fc60820e6b9d8ebeb6b3ee177d42e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5e4ee5dbea134e9257f205e31a96040bed71e83f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/63fda74885555e6bd1623b5d811feec998740ba4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/872b74900d5daa37067ac676d9001bb929fc6a2a
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9ed81d692758dfb9471d7799b24bfa7a08224c31

Vendor Advisories for CVE-2026-31415(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-2rf4-5672-vqwm
GitHub Security AdvisoriesMedium
In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid overflows in...

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

CWE-617

Data Freshness Timeline

(refreshed 17× in last 7d / 20× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-05-31 22:30 UTCepss_batch
2026-05-31 22:30 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-29 13:44 UTCepss_batch
2026-05-29 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-26 13:44 UTCepss_batch
2026-05-26 13:44 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-24 16:59 UTCepss_batch
2026-05-23 15:21 UTCepss_batch
2026-05-23 00:08 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-31415?

CVE-2026-31415 is a medium vulnerability published on April 13, 2026. In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid overflows in ip6datagramsend_ctl() Yiming Qian reported : <quote> I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via skbunderpanic() (local DoS). The…

When was CVE-2026-31415 disclosed?

CVE-2026-31415 was first published in the National Vulnerability Database on April 13, 2026, with the most recent update on May 20, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2026-31415 actively exploited?

CVE-2026-31415 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 3.4% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2026-31415?

CVE-2026-31415 has a CVSS v3 base score of 5.5 (NVD).

How do I remediate CVE-2026-31415?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-31415, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-31415

Explore →

Is Your Infrastructure Affected by CVE-2026-31415?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2026-31415

📅 Published

🔄 Last Modified

🔗 References (8)

📣 Vendor Advisories for CVE-2026-31415(1)

Weakness Classification(1)

Data Freshness Timeline

❓ Frequently asked(5)