CVE-2026-31495

MEDIUMNVD 5.55.5—

5.5

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: use netlink policy range checks

Replace manual range and mask validations with netlink policy annotations in ctnetlink code paths, so that the netlink core rejects invalid values early and can generate extack errors.

CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at

policy level, removing the manual >= TCP_CONNTRACK_MAX check.

CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE

(14). The normal TCP option parsing path already clamps to this value, but the ctnetlink path accepted 0-255, causing undefined behavior when used as a u32 shift count.

CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with

CTA_FILTER_F_ALL, removing the manual mask checks.

CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding

a new mask define grouping all valid expect flags.

Extracted from a broader nf-next patch by Florian Westphal, scoped to ctnetlink for the fixes tree.

CVSS v3: 5.5
EG Score: 5.5(high)
EPSS: 2.9%
KEV: Not listed

Published

April 22, 2026

Last Modified

April 28, 2026

References (8)

416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2ef71307c86a9f866d6e28f1a0c06e2e9d794474
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/435b576cd2faa75154777868f8cbb73bf71644d3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/45c33e79ae705b7af97e3117672b6cd258dd0b1b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4f7d25f3f0786402ba48ff7d13b6241d77d975f5
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/675c913b940488a84effdeeac5a1cfb657b59804
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8f15b5071b4548b0aafc03b366eb45c9c6566704
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c6cb41eaae875501eaaa487b8db6539feb092292
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fcec5ce2d73a41668b24e3f18c803541602a59f6

All Vendor Advisories

(1)

Every vendor that published an advisory referencing this CVE — pulled from our cve_vendor_advisories aggregation. Click any row for the vendor's original advisory page.

Microsoft MSRCCVE-2026-314952026-04-23
netfilter: ctnetlink: use netlink policy range checks

Data Freshness Timeline

(refreshed 17× in last 7d / 20× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-05-31 22:30 UTCepss_batch
2026-05-31 22:30 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-29 13:44 UTCepss_batch
2026-05-29 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-26 13:44 UTCepss_batch
2026-05-26 13:44 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-24 16:59 UTCepss_batch
2026-05-23 15:21 UTCepss_batch
2026-05-22 21:16 UTCepss_batch

Frequently asked(5)

What is CVE-2026-31495?

CVE-2026-31495 is a medium vulnerability published on April 22, 2026. In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: use netlink policy range checks Replace manual range and mask validations with netlink policy annotations in ctnetlink code paths, so that the netlink core rejects invalid values early and can generate extack…

When was CVE-2026-31495 disclosed?

CVE-2026-31495 was first published in the National Vulnerability Database on April 22, 2026, with the most recent update on April 28, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2026-31495 actively exploited?

CVE-2026-31495 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 2.9% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2026-31495?

CVE-2026-31495 has a CVSS v3 base score of 5.5 (NVD).

How do I remediate CVE-2026-31495?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-31495, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-31495

Explore →

Is Your Infrastructure Affected by CVE-2026-31495?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2026-31495

📅 Published

🔄 Last Modified

🔗 References (8)

All Vendor Advisories

Data Freshness Timeline

❓ Frequently asked(5)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2026-31495?

🔗 Related CVEs(same vendor)

Same vendor

Published

Last Modified

References (8)

Frequently asked(5)

Related CVEs(same vendor)