Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-31411

CVE-2026-31411: Linux Kernel Privilege Escalation Flaw

CVE-2026-31411 is a privilege escalation vulnerability in the Linux kernel's ATM networking module caused by unvalidated pointer handling. This flaw allows malicious signaling daemons to crash the system or escalate privileges. This article covers technical details, impact analysis, and mitigation strategies.

Published:

CVE-2026-31411 Overview

CVE-2026-31411 is a kernel vulnerability in the Linux kernel's ATM (Asynchronous Transfer Mode) networking subsystem. The vulnerability exists in the sigd_send() function within the ATM signaling path, where a VCC (Virtual Circuit Connection) pointer received from userspace via sendmsg() is used directly without proper validation. This allows a malicious process acting as an ATM signaling daemon to supply arbitrary pointer values, leading to kernel memory corruption or crashes when the kernel attempts to dereference the forged pointer.

Critical Impact

A local attacker with the ability to become an ATM signaling daemon can cause kernel crashes through arbitrary pointer dereference, potentially leading to denial of service or further exploitation scenarios.

Affected Products

  • Linux kernel (multiple stable branches affected)
  • Systems utilizing ATM networking functionality
  • Linux distributions with ATM subsystem enabled

Discovery Timeline

  • April 8, 2026 - CVE-2026-31411 published to NVD
  • April 8, 2026 - Last updated in NVD database

Technical Details for CVE-2026-31411

Vulnerability Analysis

The vulnerability resides in the ATM send path, specifically within the call chain sendmsgvcc_sendmsgsigd_send. During normal ATM signaling operations, the kernel passes a VCC pointer to the signaling daemon through sigd_enq() when processing socket operations such as connect(), bind(), or listen(). The daemon is expected to return this same pointer when responding. However, the sigd_send() function reads the VCC pointer from msg->vcc and uses it directly without any validation, trusting that the userspace daemon returns a legitimate pointer.

A malicious process can exploit this by first establishing itself as the ATM signaling daemon using the ATMSIGD_CTRL ioctl on an AF_ATMSVC socket. Once established, it can craft messages containing arbitrary pointer values in place of legitimate VCC pointers. When the kernel processes these messages, it dereferences the forged pointer, which can point to arbitrary memory addresses (such as 0xdeadbeef in the provided reproducer), resulting in a kernel crash or potential memory corruption.

Root Cause

The root cause is insufficient input validation in the kernel's ATM signaling interface. The sigd_send() function implicitly trusts that pointer values received from the userspace signaling daemon are valid kernel memory addresses that were previously passed to userspace by the kernel. This trust assumption is fundamentally flawed because userspace is untrusted and can supply arbitrary values. The lack of pointer validation before dereference creates a classic user-to-kernel attack surface.

Attack Vector

The attack requires local access and the ability to create an AF_ATMSVC socket and issue the ATMSIGD_CTRL ioctl to become the ATM signaling daemon. The attacker constructs a message buffer with a forged VCC pointer value embedded at the expected offset and calls sendmsg() on the socket. The kernel then processes this message and attempts to dereference the attacker-controlled pointer, leading to a crash or potentially exploitable memory access.

The fix introduces a find_get_vcc() function that validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs) and acquires a reference via sock_hold() if found. Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime, making sock_hold/sock_put sufficient to keep the VCC alive during use.

Detection Methods for CVE-2026-31411

Indicators of Compromise

  • Unexpected kernel crashes or panics with stack traces involving sigd_send(), vcc_sendmsg(), or ATM subsystem functions
  • Processes unexpectedly becoming ATM signaling daemons via ATMSIGD_CTRL ioctl
  • Suspicious socket activity on AF_ATMSVC sockets from non-privileged or unexpected processes
  • Kernel oops messages referencing invalid memory addresses during ATM operations

Detection Strategies

  • Monitor for ATMSIGD_CTRL ioctl calls using syscall auditing or kernel tracing (ftrace/eBPF)
  • Deploy kernel crash monitoring to capture and analyze stack traces for ATM-related crashes
  • Implement auditd rules to track socket creation with AF_ATMSVC address family
  • Use eBPF-based monitoring to detect anomalous patterns in ATM subsystem interactions

Monitoring Recommendations

  • Enable kernel oops and panic logging to persistent storage for post-incident analysis
  • Configure crash dump collection (kdump) to capture kernel state during exploitation attempts
  • Monitor system logs for repeated kernel warnings or errors from the ATM networking subsystem
  • Consider disabling the ATM subsystem entirely if not required for operational purposes

How to Mitigate CVE-2026-31411

Immediate Actions Required

  • Update to a patched kernel version as soon as available from your Linux distribution
  • If ATM networking is not required, consider blacklisting or disabling the ATM kernel modules
  • Review and restrict access to systems where ATM functionality is enabled
  • Monitor systems for signs of exploitation attempts while patching is in progress

Patch Information

The fix has been committed to multiple stable kernel branches. The patch introduces find_get_vcc() which validates VCC pointers by searching through vcc_hash and acquires proper references using sock_hold() before use. The following commits contain the fix:

Workarounds

  • Blacklist ATM kernel modules if not required: add blacklist atm and related modules to /etc/modprobe.d/
  • Restrict socket creation for AF_ATMSVC using seccomp filters on untrusted processes
  • Limit access to the ATMSIGD_CTRL ioctl through SELinux or AppArmor policies
  • Consider network segmentation to isolate systems that require ATM functionality
bash
# Disable ATM modules if not required
echo "blacklist atm" >> /etc/modprobe.d/disable-atm.conf
echo "blacklist clip" >> /etc/modprobe.d/disable-atm.conf
echo "blacklist br2684" >> /etc/modprobe.d/disable-atm.conf
echo "blacklist pppoatm" >> /etc/modprobe.d/disable-atm.conf

# Prevent module loading
rmmod atm 2>/dev/null || true

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.