CRITICAL🇵🇱 Wersja polska

CVE-2026-31405

CVSS 9.8v3.1pub. 2026-04-06upd. 2026-05-20

In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be called as a function pointer. Add a bounds check on htype against the array size before either table is accessed. Out-of-range values now cause the SNDU to be discarded.

🤖 AI Analysis
How it works

The ULE extension handler tables (ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[]) are declared with 255 elements (valid indices 0–254). The htype index is determined from network-controlled data via the expression (ule_sndu_type & 0x00FF), which yields a range of 0–255. When htype takes the value 255, an out-of-bounds read occurs in the function pointer table. The value read in this way can then be invoked as a function pointer, opening a path to code execution. The fix introduces a check of the htype value against the table size before its use — SNDU packets with values outside the range are now rejected.

Impact

An attacker supplying properly crafted network data can trigger an out-of-bounds memory read and potentially execute arbitrary code in the kernel context, which may result in complete system compromise.

Mitigation & patch

Apply patches available from the vendor according to references (commits published in the kernel.org/stable repository)

Who is affected

Linux kernel — versions indicated in vendor references (commits available in the stable repository at kernel.org)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linux Kernel

    OS
    Linux
    2.6.127.05.16 – 6.1.167 (bez)6.2 – 6.6.130 (bez)2.6.12.1 – 5.10.253 (bez)6.13 – 6.18.19 (bez)6.19 – 6.19.9 (bez)6.7 – 6.12.78 (bez)5.11 – 5.15.203 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2022-47986CRITICAL9.8⚠ KEVten sam produkt

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...

CVE-2022-22954CRITICAL9.8⚠ KEVten sam produkt

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...

CVE-2020-4006CRITICAL9.1⚠ KEVten sam produkt

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...