{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-25T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net/sched: sch_netem: fix out-of-bounds access in packet corruption",
    "id" : "2461760",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461760"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-1285",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: sch_netem: fix out-of-bounds access in packet corruption\nIn netem_enqueue(), the packet corruption logic uses\nget_random_u32_below(skb_headlen(skb)) to select an index for\nmodifying skb->data. When an AF_PACKET TX_RING sends fully non-linear\npackets over an IPIP tunnel, skb_headlen(skb) evaluates to 0.\nPassing 0 to get_random_u32_below() takes the variable-ceil slow path\nwhich returns an unconstrained 32-bit random integer. Using this\nunconstrained value as an offset into skb->data results in an\nout-of-bounds memory access.\nFix this by verifying skb_headlen(skb) is non-zero before attempting\nto corrupt the linear data area. Fully non-linear packets will silently\nbypass the corruption logic.", "A flaw was found in the Linux kernel's netem (network emulator) module. When processing certain non-linear network packets, specifically those sent via an AF_PACKET TX_RING over an IPIP tunnel, a calculation error can occur. This error leads to an out-of-bounds memory access, which could result in system instability or a denial of service." ],
  "statement" : "NETEM corruption path could walk non-linear skbs incorrectly and read OOB. Red Hat advises patched kernels where traffic control uses `sch_netem`; optional mitigation is avoiding loadable `sch_netem` where policy allows.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31675\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31675\nhttps://lore.kernel.org/linux-cve-announce/2026042543-CVE-2026-31675-e5da@gregkh/T" ],
  "name" : "CVE-2026-31675",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the sch_netem module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.",
    "lang" : "en:us"
  },
  "csaw" : false
}