{ "threat_severity" : "Moderate", "public_date" : "2026-04-08T00:00:00Z", "bugzilla" : { "description" : "kernel: net: atm: fix crash due to unvalidated vcc pointer in sigd_send()", "id" : "2456521", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2456521" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-822", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: atm: fix crash due to unvalidated vcc pointer in sigd_send()\nReproducer available at [1].\nThe ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc\npointer from msg->vcc and uses it directly without any validation. This\npointer comes from userspace via sendmsg() and can be arbitrarily forged:\nint fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);\nioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon\nstruct msghdr msg = { .msg_iov = &iov, ... };\n*(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer\nsendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef\nIn normal operation, the kernel sends the vcc pointer to the signaling\ndaemon via sigd_enq() when processing operations like connect(), bind(),\nor listen(). The daemon is expected to return the same pointer when\nresponding. However, a malicious daemon can send arbitrary pointer values.\nFix this by introducing find_get_vcc() which validates the pointer by\nsearching through vcc_hash (similar to how sigd_close() iterates over\nall VCCs), and acquires a reference via sock_hold() if found.\nSince struct atm_vcc embeds struct sock as its first member, they share\nthe same lifetime. Therefore using sock_hold/sock_put is sufficient to\nkeep the vcc alive while it is being used.\nNote that there may be a race with sigd_close() which could mark the vcc\nwith various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.\nHowever, sock_hold() guarantees the memory remains valid, so this race\nonly affects the logical state, not memory safety.\n[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3", "A flaw was found in the Linux kernel's Asynchronous Transfer Mode (ATM) networking component. A local attacker, by acting as a malicious signaling daemon, could send a specially crafted message containing an unvalidated pointer. This unvalidated pointer would be directly used by the kernel, leading to the dereference of an arbitrary memory address. The consequence is a system crash, resulting in a Denial of Service (DoS)." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31411\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31411\nhttps://lore.kernel.org/linux-cve-announce/2026040820-CVE-2026-31411-7ef9@gregkh/T" ], "name" : "CVE-2026-31411", "csaw" : false }