Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-04-25T00:00:00 kernel: net/sched: sch_netem: fix out-of-bounds access in packet corruption 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CWE-1285

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using this unconstrained value as an offset into skb->data results in an out-of-bounds memory access. Fix this by verifying skb_headlen(skb) is non-zero before attempting to corrupt the linear data area. Fully non-linear packets will silently bypass the corruption logic.

A flaw was found in the Linux kernel's netem (network emulator) module. When processing certain non-linear network packets, specifically those sent via an AF_PACKET TX_RING over an IPIP tunnel, a calculation error can occur. This error leads to an out-of-bounds memory access, which could result in system instability or a denial of service.

NETEM corruption path could walk non-linear skbs incorrectly and read OOB. Red Hat advises patched kernels where traffic control uses `sch_netem`; optional mitigation is avoiding loadable `sch_netem` where policy allows. To mitigate this issue, prevent the sch_netem module from being loaded. See https://access.redhat.com/solutions/41278 for instructions. Red Hat Enterprise Linux 10 Fix deferred kernel Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Fix deferred kernel Red Hat Enterprise Linux 7 Fix deferred kernel-rt Red Hat Enterprise Linux 8 Fix deferred kernel Red Hat Enterprise Linux 8 Fix deferred kernel-rt Red Hat Enterprise Linux 9 Fix deferred kernel Red Hat Enterprise Linux 9 Fix deferred kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-31675 https://nvd.nist.gov/vuln/detail/CVE-2026-31675 https://lore.kernel.org/linux-cve-announce/2026042543-CVE-2026-31675-e5da@gregkh/T