CVE-2026-31495

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the netfilter ctnetlink component where manual range and mask validations are used instead of netlink policy annotations. This can lead to undefined behavior when the CTA PROTOINFO TCP WSCALE ORIGINAL or CTA PROTOINFO TCP WSCALE REPLY variables are used as a u32 shift count because the ctnetlink path accepts values from 0 to 255, exceeding the maximum allowed TCP window scale of 14. Additionally, the system lacks policy-level rejection for values exceeding TCP CONNTRACK SYN SENT2 in CTA PROTOINFO TCP STATE and lacks proper mask validations for CTA FILTER ORIG FLAGS, CTA FILTER REPLY FLAGS, and CTA EXPECT FLAGS.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.