Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-04-25T00:00:00 kernel: netfilter: xt_multiport: validate range encoding in checkentry 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CWE-125

In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_multiport: validate range encoding in checkentry ports_match_v1() treats any non-zero pflags entry as the start of a port range and unconditionally consumes the next ports[] element as the range end. The checkentry path currently validates protocol, flags and count, but it does not validate the range encoding itself. As a result, malformed rules can mark the last slot as a range start or place two range starts back to back, leaving ports_match_v1() to step past the last valid ports[] element while interpreting the rule. Reject malformed multiport v1 rules in checkentry by validating that each range start has a following element and that the following element is not itself marked as another range start.

A flaw was found in the Linux kernel's netfilter xt_multiport module. This vulnerability arises from insufficient validation of range encoding within the `checkentry` function. A local attacker can exploit this by crafting malformed multiport rules, which causes the `ports_match_v1()` function to read beyond its intended memory boundary. This out-of-bounds read can lead to a denial of service (DoS) or potentially disclose sensitive information.

An out of bounds read can occur in the xt_multiport v1 match because the range encoding uses pflags and the matcher treats any non zero pflags entry as the start of a port range and then unconditionally consumes the next ports element as the range end. The checkentry path previously validated protocol flags and count but did not validate that every range start has a following element and that two consecutive elements are not both marked as range starts. A local attacker with CAP_NET_ADMIN can install a malformed rule with an invalid pflags layout and later trigger the match during packet processing. This can lead to a kernel crash. For the CVSS the PR is L because installing or modifying iptables or ip6tables rules requires administrative networking privileges. In order to trigger the issue, it requires the ability to create user/net namespaces. On non-containerized deployments of Red Hat Enterprise Linux 8, it is recommended to disable user namespaces by setting user.max_user_namespaces to 0: # echo "user.max_user_namespaces=0" > /etc/sysctl.d/userns.conf # sysctl -p /etc/sysctl.d/userns.conf On containerized deployments, such as Red Hat OpenShift Container Platform, do not use this mitigation as the functionality is needed to be enabled. Red Hat Enterprise Linux 10 Fix deferred kernel Red Hat Enterprise Linux 6 Out of support scope kernel Red Hat Enterprise Linux 7 Fix deferred kernel Red Hat Enterprise Linux 7 Fix deferred kernel-rt Red Hat Enterprise Linux 8 Fix deferred kernel Red Hat Enterprise Linux 8 Fix deferred kernel-rt Red Hat Enterprise Linux 9 Fix deferred kernel Red Hat Enterprise Linux 9 Fix deferred kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-31681 https://nvd.nist.gov/vuln/detail/CVE-2026-31681 https://lore.kernel.org/linux-cve-announce/2026042545-CVE-2026-31681-3c5b@gregkh/T