PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31411 Linux CVE debrief

CVE-2026-31411 is a Linux kernel availability issue in the ATM signaling send path. According to the supplied CVE/NVD material, sigd_send() used a vcc pointer taken from msg->vcc without validating that it referred to a real VCC object. A local attacker who can reach the ATM signaling daemon path could supply a forged pointer value and trigger a kernel crash. The kernel fix adds validation by searching the VCC hash and taking a reference before use.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-08
Original CVE updated
2026-05-20
Advisory published
2026-04-08
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distribution security teams, and operators of systems that include ATM/AF_ATMSVC support. This is most relevant where local users can access the affected socket path or where legacy ATM functionality is still enabled.

Technical summary

The issue is in the ATM send path (sendmsg -> vcc_sendmsg -> sigd_send). The source corpus states that msg->vcc was used directly, even though that value originates from userspace and can be forged. In normal operation, the kernel passes the VCC pointer to the signaling daemon and expects the same pointer back, but a malicious or compromised daemon can return an arbitrary value. The fix introduces find_get_vcc() to locate the VCC through vcc_hash and acquire a reference with sock_hold(); sock_put() then releases it after use. The supplied NVD record classifies the flaw as CWE-476 and assigns CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Defensive priority

Medium. The impact is a local kernel crash rather than data compromise, but it affects kernel availability and can be reached through legacy ATM functionality. Prioritize systems that still expose ATM support or where local multi-user access exists.

Recommended defensive actions

  • Apply the kernel updates associated with the supplied stable patch references.
  • If ATM support is not required, disable or remove the affected subsystem where practical.
  • Restrict local access to systems that expose ATM/AF_ATMSVC functionality.
  • Verify whether your kernel build includes the affected ATM code paths and whether vendor backports are installed.
  • Track distribution advisories for backported fixes matching the referenced kernel commits.

Evidence notes

The supplied CVE description says sigd_send() reads the vcc pointer from msg->vcc without validation and that this pointer can be forged from userspace via sendmsg(). It also states the remediation: validating the pointer by searching vcc_hash and taking a sock reference. The NVD record marks the vulnerability as analyzed, assigns CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, and lists CWE-476. Publication timing in the supplied corpus is 2026-04-08T14:16:27.977Z, with modification on 2026-05-20T16:03:38.647Z.

Official resources

Published in the supplied CVE record on 2026-04-08T14:16:27.977Z and modified on 2026-05-20T16:03:38.647Z. No CISA KEV entry is present in the supplied timeline.