{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-25T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: netfilter: xt_multiport: validate range encoding in checkentry",
    "id" : "2461753",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461753"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-125",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: xt_multiport: validate range encoding in checkentry\nports_match_v1() treats any non-zero pflags entry as the start of a\nport range and unconditionally consumes the next ports[] element as\nthe range end.\nThe checkentry path currently validates protocol, flags and count, but\nit does not validate the range encoding itself. As a result, malformed\nrules can mark the last slot as a range start or place two range starts\nback to back, leaving ports_match_v1() to step past the last valid\nports[] element while interpreting the rule.\nReject malformed multiport v1 rules in checkentry by validating that\neach range start has a following element and that the following element\nis not itself marked as another range start.", "A flaw was found in the Linux kernel's netfilter xt_multiport module. This vulnerability arises from insufficient validation of range encoding within the `checkentry` function. A local attacker can exploit this by crafting malformed multiport rules, which causes the `ports_match_v1()` function to read beyond its intended memory boundary. This out-of-bounds read can lead to a denial of service (DoS) or potentially disclose sensitive information." ],
  "statement" : "An out of bounds read can occur in the xt_multiport v1 match because the range encoding uses pflags and the matcher treats any non zero pflags entry as the start of a port range and then unconditionally consumes the next ports element as the range end. The checkentry path previously validated protocol flags and count but did not validate that every range start has a following element and that two consecutive elements are not both marked as range starts. A local attacker with CAP_NET_ADMIN can install a malformed rule with an invalid pflags layout and later trigger the match during packet processing. This can lead to a kernel crash. For the CVSS the PR is L because installing or modifying iptables or ip6tables rules requires administrative networking privileges.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31681\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31681\nhttps://lore.kernel.org/linux-cve-announce/2026042545-CVE-2026-31681-3c5b@gregkh/T" ],
  "name" : "CVE-2026-31681",
  "mitigation" : {
    "value" : "In order to trigger the issue, it requires the ability to create user/net namespaces.\nOn non-containerized deployments of Red Hat Enterprise Linux 8, it is recommended to disable user namespaces by setting user.max_user_namespaces to 0:\n# echo \"user.max_user_namespaces=0\" > /etc/sysctl.d/userns.conf\n# sysctl -p /etc/sysctl.d/userns.conf\nOn containerized deployments, such as Red Hat OpenShift Container Platform, do not use this mitigation as the functionality is needed to be enabled.",
    "lang" : "en:us"
  },
  "csaw" : false
}