CVE-2026-31684

{"id": "CVE-2026-31684", "cveTags": [], "metrics": {}, "published": "2026-04-25T09:16:02.163", "references": [{"url": "https://git.kernel.org/stable/c/3d165d975305cf76ff0b10a3c798fb31e5f5f9a5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a69738efea0996d05a3c7d2178551b891744df1b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c842743d073bdd683606cb414eb0ca84465dd834", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ec4930979b3f7bbeb7af5744599fc6603a4dba62", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_csum: validate nested VLAN headers\n\ntcf_csum_act() walks nested VLAN headers directly from skb->data when an\nskb still carries in-payload VLAN tags. The current code reads\nvlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without\nfirst ensuring that the full VLAN header is present in the linear area.\n\nIf only part of an inner VLAN header is linearized, accessing\nh_vlan_encapsulated_proto reads past the linear area, and the following\nskb_pull(VLAN_HLEN) may violate skb invariants.\n\nFix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and\npulling each nested VLAN header. If the header still is not fully\navailable, drop the packet through the existing error path."}], "lastModified": "2026-04-25T09:16:02.163", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}