CVE-2026-31415 Linux CVE debrief

Who should care

Linux system operators, distribution maintainers, and security teams running affected kernel versions, especially systems that permit unprivileged user namespaces or expose CAP_NET_RAW to local workloads. Hosts with IPv6 enabled and software that can submit ancillary IPv6 sendmsg control messages should be prioritized.

Technical summary

According to the CVE description, ip6_datagram_send_ctl() accepts repeated IPV6_DSTOPTS cmsgs and adds each header length into struct ipv6_txoptions::opt_flen, which is a __u16. When enough large destination-options headers are supplied, opt_flen can wrap while opt->dst1opt still points to the last, large header. Later transmit-path code uses the wrapped opt_flen to size headers and headroom, but the actual push length comes from the pointed-to header via ipv6_push_frag_opts()/ipv6_push_exthdr(). That mismatch can make skb_push() underflow and trigger skb_under_panic(), causing a BUG and local crash.

Defensive priority

High for systems where local users can create user namespaces or otherwise obtain CAP_NET_RAW; medium otherwise. This is a local, high-impact availability issue because it can crash the kernel, but it does not indicate direct confidentiality or integrity impact.

Recommended defensive actions

• Apply the fixed kernel updates or vendor backports that include the referenced patches.
• Prioritize remediation on kernels within the affected NVD version ranges: from 2.6.14 up to the listed stable cutoffs, including the 5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc series noted by NVD.
• Reduce exposure to unprivileged user namespaces where feasible, since the described path can be reached by a local user who can obtain namespaced CAP_NET_RAW.
• Review which local workloads or containers can create IPv6 ancillary data with destination-options control messages.
• Monitor for unexpected kernel crashes or BUG() events on hosts running affected kernels.
• Confirm that your distro’s backport includes the IPv6 sendmsg fix rather than relying only on version number checks.

Evidence notes

The vulnerability summary, local DoS impact, and privilege requirements come from the supplied CVE description. NVD marks the record as analyzed and assigns CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H with CWE-617. The supplied NVD metadata also lists Linux kernel version ranges considered vulnerable and provides multiple stable kernel patch references on kernel.org. The timing context uses the CVE publishedAt and modifiedAt values provided in the source bundle.

Official resources