CVE-2026-31415

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the IPv6 sendmsg ancillary-data path where a mismatch occurs between a 16-bit length accumulator opt flen and a pointer to the last provided destination-options header dst1opt when multiple IPV6 DSTOPTS control messages are provided. The function ip6 datagram send ctl() accepts repeated IPV6 DSTOPTS and increments opt flen without rejecting duplicates, allowing the 16-bit value to wrap around. Consequently, the transmit path underestimates the required headroom. When the final socket buffer is built, the actual push length is derived from dst1opt rather than the wrapped opt flen, leading to a buffer underflow in skb push() that triggers a kernel panic. This can be exploited by a local user with CAP NET RAW privileges, or an unprivileged user if unprivileged user namespaces are enabled, resulting in a local denial of service.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.