DEBIAN-CVE-2026-31675

DEBIAN-CVE-2026-31675 PUBLISHED CVSS 7.800000190734863 HIGH

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using this unconstrained value as an offset into skb->data results in an out-of-bounds memory access. Fix this by verifying skb_headlen(skb) is non-zero before attempting to corrupt the linear data area. Fully non-linear packets will silently bypass the corruption logic.

Risk Scores

CVSS v3.1

7.800000190734863

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:13	linux	0, 6.12.74-2, 6.12.74-2
Debian:11	linux	7.0.1-1, 5.17~rc8-1~exp1, 5.18-1~exp1
Debian:12	linux	6.12.9-1, 6.11.4-1, 6.11.5-1
Debian	linux
Debian:14	linux	6.16.12-1~bpo13+1, 6.16.12-2, 6.16.3-1

Timeline

Apr 25, 2026 CVE Published
Apr 30, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-31675 advisory

Open in Interactive Console →