netfilter: ip6t_eui64: reject invalid MAC header for all packets

9.4 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ip6t_eui64: reject invalid MAC header for all packets

`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
and compares it with the low 64 bits of the IPv6 source address.

The existing guard only rejects an invalid MAC header when
`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
can still reach `eth_hdr(skb)` even when the MAC header is not valid.

Fix this by removing the `par->fragoff != 0` condition so that packets
with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.

AI Analysis

A vulnerability in the Linux kernel's netfilter: ip6t_eui64 module allows an attacker to reject invalid MAC headers for all packets, potentially leading to a denial of service.

Basic Information

ID CVE-2026-31685

Source Linux

Published Apr 25, 2026 at 08:47

Modified Apr 27, 2026 at 14:05

Affected Product

Vendor Linux

Product Linux

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Affected Versions Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 2.6.12

AI Assessment

AI Score 9.4 / 10

AI Severity Critical

Vendor Linux

Product Linux Kernel

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 2.6.12

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_eui64: reject invalid MAC header for all packets\n\n`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address\nand compares it with the low 64 bits of the IPv6 source address.\n\nThe existing guard only rejects an invalid MAC header when\n`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`\ncan still reach `eth_hdr(skb)` even when the MAC header is not valid.\n\nFix this by removing the `par->fragoff != 0` condition so that packets\nwith an invalid MAC header are rejected before accessing `eth_hdr(skb)`.",
    "published": "2026-04-25T08:47:02.857Z",
    "modified": "2026-04-27T14:05:04.347Z",
    "type": "cve",
    "title": "netfilter: ip6t_eui64: reject invalid MAC header for all packets",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/288138418bef956f8b295751a4536c60f0e89f4a\nhttps://git.kernel.org/stable/c/9eda5478746ef7dc0e4e537b5a5e4b0ca1027091\nhttps://git.kernel.org/stable/c/807d6ee15804df6f01a35c910f09612e858739a6\nhttps://git.kernel.org/stable/c/309ae3e9a51a69699ca94eac5fac5688fa562d55\nhttps://git.kernel.org/stable/c/fdce0b3590f724540795b874b4c8850c90e6b0a8",
    "id": "CVE-2026-31685",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 2.6.12",
    "sourceHref": "",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
    "vendor": "Linux",
    "ai_description": "A vulnerability in the Linux kernel's netfilter: ip6t_eui64 module allows an attacker to reject invalid MAC headers for all packets, potentially leading to a denial of service.",
    "ai_severity": "Critical",
    "ai_vendor": "Linux",
    "ai_product": "Linux Kernel",
    "ai_version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 2.6.12",
    "ai_score": 9.4
}

netfilter: ip6t_eui64: reject invalid MAC header for all packets_CVE-2026-31685