The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-31411

CVE-2026-31411: Linux Kernel Privilege Escalation Flaw

CVE-2026-31411 is a privilege escalation vulnerability in the Linux kernel's ATM networking module caused by unvalidated pointer handling. This flaw allows malicious signaling daemons to crash the system or escalate privileges. This article covers technical details, impact analysis, and mitigation strategies.

Published: April 10, 2026

CVE-2026-31411 Overview

CVE-2026-31411 is a kernel vulnerability in the Linux kernel's ATM (Asynchronous Transfer Mode) networking subsystem. The vulnerability exists in the sigd_send() function within the ATM signaling path, where a VCC (Virtual Circuit Connection) pointer received from userspace via sendmsg() is used directly without proper validation. This allows a malicious process acting as an ATM signaling daemon to supply arbitrary pointer values, leading to kernel memory corruption or crashes when the kernel attempts to dereference the forged pointer.

Critical Impact

A local attacker with the ability to become an ATM signaling daemon can cause kernel crashes through arbitrary pointer dereference, potentially leading to denial of service or further exploitation scenarios.

Affected Products

  • Linux kernel (multiple stable branches affected)
  • Systems utilizing ATM networking functionality
  • Linux distributions with ATM subsystem enabled

Discovery Timeline

  • April 8, 2026 - CVE-2026-31411 published to NVD
  • April 8, 2026 - Last updated in NVD database

Technical Details for CVE-2026-31411

Vulnerability Analysis

The vulnerability resides in the ATM send path, specifically within the call chain sendmsg → vcc_sendmsg → sigd_send. During normal ATM signaling operations, the kernel passes a VCC pointer to the signaling daemon through sigd_enq() when processing socket operations such as connect(), bind(), or listen(). The daemon is expected to return this same pointer when responding. However, the sigd_send() function reads the VCC pointer from msg->vcc and uses it directly without any validation, trusting that the userspace daemon returns a legitimate pointer.

A malicious process can exploit this by first establishing itself as the ATM signaling daemon using the ATMSIGD_CTRL ioctl on an AF_ATMSVC socket. Once established, it can craft messages containing arbitrary pointer values in place of legitimate VCC pointers. When the kernel processes these messages, it dereferences the forged pointer, which can point to arbitrary memory addresses (such as 0xdeadbeef in the provided reproducer), resulting in a kernel crash or potential memory corruption.

Root Cause

The root cause is insufficient input validation in the kernel's ATM signaling interface. The sigd_send() function implicitly trusts that pointer values received from the userspace signaling daemon are valid kernel memory addresses that were previously passed to userspace by the kernel. This trust assumption is fundamentally flawed because userspace is untrusted and can supply arbitrary values. The lack of pointer validation before dereference creates a classic user-to-kernel attack surface.

Attack Vector

The attack requires local access and the ability to create an AF_ATMSVC socket and issue the ATMSIGD_CTRL ioctl to become the ATM signaling daemon. The attacker constructs a message buffer with a forged VCC pointer value embedded at the expected offset and calls sendmsg() on the socket. The kernel then processes this message and attempts to dereference the attacker-controlled pointer, leading to a crash or potentially exploitable memory access.

The fix introduces a find_get_vcc() function that validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs) and acquires a reference via sock_hold() if found. Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime, making sock_hold/sock_put sufficient to keep the VCC alive during use.

Detection Methods for CVE-2026-31411

Indicators of Compromise

  • Unexpected kernel crashes or panics with stack traces involving sigd_send(), vcc_sendmsg(), or ATM subsystem functions
  • Processes unexpectedly becoming ATM signaling daemons via ATMSIGD_CTRL ioctl
  • Suspicious socket activity on AF_ATMSVC sockets from non-privileged or unexpected processes
  • Kernel oops messages referencing invalid memory addresses during ATM operations

Detection Strategies

  • Monitor for ATMSIGD_CTRL ioctl calls using syscall auditing or kernel tracing (ftrace/eBPF)
  • Deploy kernel crash monitoring to capture and analyze stack traces for ATM-related crashes
  • Implement auditd rules to track socket creation with AF_ATMSVC address family
  • Use eBPF-based monitoring to detect anomalous patterns in ATM subsystem interactions

Monitoring Recommendations

  • Enable kernel oops and panic logging to persistent storage for post-incident analysis
  • Configure crash dump collection (kdump) to capture kernel state during exploitation attempts
  • Monitor system logs for repeated kernel warnings or errors from the ATM networking subsystem
  • Consider disabling the ATM subsystem entirely if not required for operational purposes

How to Mitigate CVE-2026-31411

Immediate Actions Required

  • Update to a patched kernel version as soon as available from your Linux distribution
  • If ATM networking is not required, consider blacklisting or disabling the ATM kernel modules
  • Review and restrict access to systems where ATM functionality is enabled
  • Monitor systems for signs of exploitation attempts while patching is in progress

Patch Information

The fix has been committed to multiple stable kernel branches. The patch introduces find_get_vcc() which validates VCC pointers by searching through vcc_hash and acquires proper references using sock_hold() before use. The following commits contain the fix:

  • Kernel Git Commit 1c8bda3
  • Kernel Git Commit 21c303f
  • Kernel Git Commit 3e1a8b0
  • Kernel Git Commit 440c9a5
  • Kernel Git Commit 69d3f9e
  • Kernel Git Commit ae88a5d
  • Kernel Git Commit c96549d
  • Kernel Git Commit e3f8066

Workarounds

  • Blacklist ATM kernel modules if not required: add blacklist atm and related modules to /etc/modprobe.d/
  • Restrict socket creation for AF_ATMSVC using seccomp filters on untrusted processes
  • Limit access to the ATMSIGD_CTRL ioctl through SELinux or AppArmor policies
  • Consider network segmentation to isolate systems that require ATM functionality
bash
# Disable ATM modules if not required
echo "blacklist atm" >> /etc/modprobe.d/disable-atm.conf
echo "blacklist clip" >> /etc/modprobe.d/disable-atm.conf
echo "blacklist br2684" >> /etc/modprobe.d/disable-atm.conf
echo "blacklist pppoatm" >> /etc/modprobe.d/disable-atm.conf

# Prevent module loading
rmmod atm 2>/dev/null || true

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Git Commit 1c8bda3
  • Kernel Git Commit 21c303f
  • Kernel Git Commit 3e1a8b0
  • Kernel Git Commit 440c9a5
  • Kernel Git Commit 69d3f9e
  • Kernel Git Commit ae88a5d
  • Kernel Git Commit c96549d
  • Kernel Git Commit e3f8066
  • Related CVEs
  • CVE-2026-23438: Linux Kernel Privilege Escalation Flaw
  • CVE-2026-23439: Linux Kernel Privilege Escalation Flaw
  • CVE-2026-23437: Linux Kernel Privilege Escalation Flaw
  • CVE-2026-31398: Linux Kernel Privilege Escalation Bug
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English