PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31405 Linux CVE debrief

CVE-2026-31405 is a critical Linux kernel media/dvb-net memory-safety issue. Network-controlled ULE extension data can produce htype values from 0-255, but the handler tables are sized for valid indices 0-254. When htype is 255, the kernel can read past the end of the function-pointer table, and the out-of-bounds value may be invoked as a function pointer. The published fix adds a bounds check and discards out-of-range SNDUs. NVD lists the issue as analyzed, with CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), and provides affected Linux kernel version ranges through multiple stable branches.

Vendor
Linux
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-06
Original CVE updated
2026-05-20
Advisory published
2026-04-06
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, embedded device vendors, and operators running kernels that include the dvb-net media code path should care, especially where DVB networking features are enabled or reachable through untrusted input. Security responders should treat it as a critical kernel memory-safety bug with a public patch available.

Technical summary

In handle_one_ule_extension(), the ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables are declared with 255 elements, so valid indices are 0-254. The handler index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), which permits 255. That mismatch allows an out-of-bounds read from a function-pointer table. The fix adds a size check before either table is accessed; values outside the table bounds now cause the SNDU to be discarded. The weakness is categorized by NVD as CWE-125.

Defensive priority

High. This is a critical kernel issue with network-controlled input and vendor patches already available. Prioritize patching affected Linux kernel builds, especially systems that include the dvb-net path and are exposed to untrusted DVB traffic or inputs. Use the NVD version ranges to confirm whether a specific kernel build is affected.

Recommended defensive actions

  • Apply the vendor or stable kernel patches referenced by NVD.
  • Verify whether your kernel build falls within the affected ranges listed by NVD before and after backporting.
  • If DVB networking is not required, disable or remove the relevant kernel feature set where operationally feasible.
  • Rebuild and redeploy any custom or embedded kernels that may not receive automatic stable updates.
  • Track the official Linux kernel release notes and distro advisories for backported fixes.
  • Use the CVE published date (2026-04-06) and NVD modification date (2026-05-20) to align remediation and verification timelines.

Evidence notes

All statements are based on the supplied CVE description and NVD metadata. The issue was published on 2026-04-06 and last modified in NVD on 2026-05-20. NVD marks the CVE as analyzed, lists CVSS 3.1 9.8/CRITICAL, and includes patch references from git.kernel.org. No KEV entry was provided in the source corpus.

Official resources

CVE published: 2026-04-06T08:16:38.253Z. NVD modified: 2026-05-20T12:01:54.307Z. No KEV listing was provided in the source corpus. Patch references were available at the time of the NVD record update.