{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-25T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: bridge: br_nd_send: linearize skb before parsing ND options",
    "id" : "2461754",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461754"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-125",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbridge: br_nd_send: linearize skb before parsing ND options\nbr_nd_send() parses neighbour discovery options from ns->opt[] and\nassumes that these options are in the linear part of request.\nIts callers only guarantee that the ICMPv6 header and target address\nare available, so the option area can still be non-linear. Parsing\nns->opt[] in that case can access data past the linear buffer.\nLinearize request before option parsing and derive ns from the linear\nnetwork header.", "A flaw was found in the Linux kernel's bridge component. This vulnerability occurs because the system does not properly prepare network packet data before processing Neighbor Discovery (ND) options. An attacker could exploit this by sending specially crafted network packets, causing the system to read sensitive information from unintended memory locations or crash the system, leading to a denial of service." ],
  "statement" : "Bridge ND transmission must linearize skbs before parsing options; otherwise non-linear layout can confuse ND option walkers. Red Hat recommends patched kernels for Linux bridge deployments.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31682\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31682\nhttps://lore.kernel.org/linux-cve-announce/2026042545-CVE-2026-31682-fe50@gregkh/T" ],
  "name" : "CVE-2026-31682",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the bridge module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.",
    "lang" : "en:us"
  },
  "csaw" : false
}