CVE-2026-31682

{"id": "CVE-2026-31682", "cveTags": [], "metrics": {}, "published": "2026-04-25T09:16:01.913", "references": [{"url": "https://git.kernel.org/stable/c/2ba4caba423ed94d63006eb1d2227b0332ab7fcd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3a30f6469b058574f49efde61cd6f5d79e576053", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4f397b950c916e9a1f8a4fce04ea0110206cad47", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/658261898130da620fc3d0fbb0523efb3366cb55", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9c55e41c73af5c4511070933b1bd25248521270c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a01aee7cafc575bb82f5529e8734e7052f9b16ea", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bd91ec85aa4c77d645bd2739fc56784157a88ca2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c68433fd291c9e88c00292095172c62d1997d662", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: linearize skb before parsing ND options\n\nbr_nd_send() parses neighbour discovery options from ns->opt[] and\nassumes that these options are in the linear part of request.\n\nIts callers only guarantee that the ICMPv6 header and target address\nare available, so the option area can still be non-linear. Parsing\nns->opt[] in that case can access data past the linear buffer.\n\nLinearize request before option parsing and derive ns from the linear\nnetwork header."}], "lastModified": "2026-04-25T09:16:01.913", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}