CVE-2026-31684

EUVD-2026-25651

25.04.2026, 09:16

In the Linux kernel, the following vulnerability has been resolved:

net: sched: act_csum: validate nested VLAN headers

tcf_csum_act() walks nested VLAN headers directly from skb->data when an
skb still carries in-payload VLAN tags. The current code reads
vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without
first ensuring that the full VLAN header is present in the linear area.

If only part of an inner VLAN header is linearized, accessing
h_vlan_encapsulated_proto reads past the linear area, and the following
skb_pull(VLAN_HLEN) may violate skb invariants.

Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and
pulling each nested VLAN header. If the header still is not fully
available, drop the packet through the existing error path.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

linux

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	vulnerable
sid	6.19.14-1 fixed
trixie	vulnerable
trixie (security)	vulnerable

References

https://git.kernel.org/stable/c/3d165d975305cf76ff0b10a3c798fb31e5f5f9a5

https://git.kernel.org/stable/c/a69738efea0996d05a3c7d2178551b891744df1b

https://git.kernel.org/stable/c/c842743d073bdd683606cb414eb0ca84465dd834

https://git.kernel.org/stable/c/ec4930979b3f7bbeb7af5744599fc6603a4dba62