bridge: br_nd_send: linearize skb before parsing ND options_CVE-2026-31682

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

bridge: br_nd_send: linearize skb before parsing ND options

br_nd_send() parses neighbour discovery options from ns->opt[] and
assumes that these options are in the linear part of request.

Its callers only guarantee that the ICMPv6 header and target address
are available, so the option area can still be non-linear. Parsing
ns->opt[] in that case can access data past the linear buffer.

Linearize request before option parsing and derive ns from the linear
network header.

AI Analysis

A vulnerability in the Linux kernel's bridge functionality allows for potential data access beyond the linear buffer, potentially leading to information disclosure or other security issues.

Basic Information

ID CVE-2026-31682

Source Linux

Published Apr 25, 2026 at 08:46

Modified Apr 27, 2026 at 14:05

Affected Product

Vendor Linux

Product Linux

Version ed842faeb2bd49256f00485402f3113205f91d30

Affected Versions Linux Linux ed842faeb2bd49256f00485402f3113205f91d30
Linux Linux ed842faeb2bd49256f00485402f3113205f91d30
Linux Linux ed842faeb2bd49256f00485402f3113205f91d30
Linux Linux ed842faeb2bd49256f00485402f3113205f91d30
Linux Linux ed842faeb2bd49256f00485402f3113205f91d30
Linux Linux ed842faeb2bd49256f00485402f3113205f91d30
Linux Linux ed842faeb2bd49256f00485402f3113205f91d30
Linux Linux ed842faeb2bd49256f00485402f3113205f91d30
Linux Linux 4.15

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor Linux

Product Linux Kernel

Version ed842faeb2bd49256f00485402f3113205f91d30, 4.15

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: linearize skb before parsing ND options\n\nbr_nd_send() parses neighbour discovery options from ns->opt[] and\nassumes that these options are in the linear part of request.\n\nIts callers only guarantee that the ICMPv6 header and target address\nare available, so the option area can still be non-linear. Parsing\nns->opt[] in that case can access data past the linear buffer.\n\nLinearize request before option parsing and derive ns from the linear\nnetwork header.",
    "published": "2026-04-25T08:46:59.106Z",
    "modified": "2026-04-27T14:05:02.173Z",
    "type": "cve",
    "title": "bridge: br_nd_send: linearize skb before parsing ND options",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/c68433fd291c9e88c00292095172c62d1997d662\nhttps://git.kernel.org/stable/c/4f397b950c916e9a1f8a4fce04ea0110206cad47\nhttps://git.kernel.org/stable/c/bd91ec85aa4c77d645bd2739fc56784157a88ca2\nhttps://git.kernel.org/stable/c/658261898130da620fc3d0fbb0523efb3366cb55\nhttps://git.kernel.org/stable/c/2ba4caba423ed94d63006eb1d2227b0332ab7fcd\nhttps://git.kernel.org/stable/c/9c55e41c73af5c4511070933b1bd25248521270c\nhttps://git.kernel.org/stable/c/3a30f6469b058574f49efde61cd6f5d79e576053\nhttps://git.kernel.org/stable/c/a01aee7cafc575bb82f5529e8734e7052f9b16ea",
    "id": "CVE-2026-31682",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux ed842faeb2bd49256f00485402f3113205f91d30\nLinux Linux ed842faeb2bd49256f00485402f3113205f91d30\nLinux Linux ed842faeb2bd49256f00485402f3113205f91d30\nLinux Linux ed842faeb2bd49256f00485402f3113205f91d30\nLinux Linux ed842faeb2bd49256f00485402f3113205f91d30\nLinux Linux ed842faeb2bd49256f00485402f3113205f91d30\nLinux Linux ed842faeb2bd49256f00485402f3113205f91d30\nLinux Linux ed842faeb2bd49256f00485402f3113205f91d30\nLinux Linux 4.15",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "ed842faeb2bd49256f00485402f3113205f91d30",
    "vendor": "Linux",
    "ai_description": "A vulnerability in the Linux kernel's bridge functionality allows for potential data access beyond the linear buffer, potentially leading to information disclosure or other security issues.",
    "ai_severity": "Critical",
    "ai_vendor": "Linux",
    "ai_product": "Linux Kernel",
    "ai_version": "ed842faeb2bd49256f00485402f3113205f91d30, 4.15",
    "ai_score": 9.1
}