PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31414 Linux CVE debrief

CVE-2026-31414 is a critical Linux kernel netfilter/conntrack issue involving unsafe helper-name handling in nf_conntrack_expect. NVD says the bug can be reached over the network with no privileges or user interaction, and the published fix switches ctnetlink and /proc dumping to use expect->helper and related reference-safe paths.

Vendor
Linux
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-13
Original CVE updated
2026-05-20
Advisory published
2026-04-13
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, server and cloud operators, container platform owners, and anyone running kernels in the affected branches should treat this as high priority.

Technical summary

According to the NVD description and the linked kernel patches, the vulnerable logic used nfct_help() in contexts where the master conntrack reference was not safely held. The fix changes helper-name lookup to use expect->helper, and in the ctnetlink creation path to use exp->master->helper when userspace does not explicitly provide a helper, preserving existing behavior while avoiding unsafe reference use. NVD’s CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates remote, unauthenticated exposure with potentially severe impact. The affected version ranges published by NVD span Linux kernel 2.6.30 through multiple maintained branches, including 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc builds.

Defensive priority

Critical. This is a remotely reachable kernel issue with no required privileges or user interaction, and NVD rates the impact high across confidentiality, integrity, and availability.

Recommended defensive actions

  • Apply the vendor or stable kernel update that contains the fix for your branch; use the official patch references as a validation aid.
  • Prioritize exposed servers, containers hosts, network appliances, and other systems that rely on netfilter/conntrack.
  • If you manage affected kernels, verify whether your deployed version falls within NVD’s listed vulnerable ranges before scheduling remediation.
  • After patching, plan the required reboot or live-update procedure to ensure the new kernel is active.
  • Track distro backports and confirm the fixed commit or equivalent patch is present in your packaged kernel build.

Evidence notes

NVD’s description states that nfct_help() was used without holding a reference to the master conntrack and that the fix is to use expect->helper in ctnetlink and /proc. The source item also links six official git.kernel.org stable patch references. CVSS details are taken from the supplied NVD record and indicate network reachability, low complexity, no privileges, and no user interaction. The CVE was published on 2026-04-13 and last modified on 2026-05-20; those dates are used only as disclosure timing context.

Official resources

Publicly disclosed in NVD on 2026-04-13 and updated on 2026-05-20 with stable kernel patch references.