{ "threat_severity" : "Moderate", "public_date" : "2026-04-23T00:00:00Z", "bugzilla" : { "description" : "kernel: ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()", "id" : "2461108", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461108" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-131", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()\nWhen querying a nexthop object via RTM_GETNEXTHOP, the kernel currently\nallocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient for\nsingle nexthops and small Equal-Cost Multi-Path groups, this fixed\nallocation fails for large nexthop groups like 512 nexthops.\nThis results in the following warning splat:\nWARNING: net/ipv4/nexthop.c:3395 at rtm_get_nexthop+0x176/0x1c0, CPU#20: rep/4608\n[...]\nRIP: 0010:rtm_get_nexthop (net/ipv4/nexthop.c:3395)\n[...]\nCall Trace:\n\nrtnetlink_rcv_msg (net/core/rtnetlink.c:6989)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2550)\nnetlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1894)\n____sys_sendmsg (net/socket.c:721 net/socket.c:736 net/socket.c:2585)\n___sys_sendmsg (net/socket.c:2641)\n__sys_sendmsg (net/socket.c:2671)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFix this by allocating the size dynamically using nh_nlmsg_size() and\nusing nlmsg_new(), this is consistent with nexthop_notify() behavior. In\naddition, adjust nh_nlmsg_size_grp() so it calculates the size needed\nbased on flags passed. While at it, also add the size of NHA_FDB for\nnexthop group size calculation as it was missing too.\nThis cannot be reproduced via iproute2 as the group size is currently\nlimited and the command fails as follows:\naddattr_l ERROR: message exceeded bound of 1048", "A flaw was found in the Linux kernel. A local user can trigger a denial of service by querying a nexthop object with a large number of nexthop groups. This occurs because the kernel uses a fixed-size buffer that cannot accommodate the large response, leading to a kernel warning and potential system instability." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31531\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31531\nhttps://lore.kernel.org/linux-cve-announce/2026042347-CVE-2026-31531-6f6d@gregkh/T" ], "name" : "CVE-2026-31531", "csaw" : false }