CVE-2026-31531 Overview
CVE-2026-31531 is a denial-of-service vulnerability in the Linux kernel's IPv4 nexthop subsystem. The flaw resides in the rtm_get_nexthop() function within net/ipv4/nexthop.c. When a user queries a nexthop object via the RTM_GETNEXTHOP netlink message, the kernel allocates a fixed-size socket buffer using NLMSG_GOODSIZE. This fixed allocation cannot accommodate large nexthop groups containing hundreds of entries, such as 512 nexthops. The result is a kernel warning splat and failed netlink operation, disrupting routing query functionality on affected systems.
Critical Impact
A local user with netlink access can trigger a kernel warning and disrupt nexthop query operations by requesting metadata for large Equal-Cost Multi-Path (ECMP) groups.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 7.0-rc1 through 7.0-rc7
- Systems using IPv4 nexthop objects with large ECMP groups
Discovery Timeline
- 2026-04-23 - CVE-2026-31531 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-31531
Vulnerability Analysis
The vulnerability stems from a static buffer allocation pattern in the kernel's netlink response path for nexthop queries. When rtm_get_nexthop() processes an RTM_GETNEXTHOP request, it allocates an sk_buff using the constant NLMSG_GOODSIZE. This size is sufficient for single nexthops and small ECMP groups but fails when serializing larger groups.
Queries against nexthop groups containing 512 entries exceed the available buffer space. The kernel triggers a warning at net/ipv4/nexthop.c:3395 and the operation fails with the message addattr_l ERROR: message exceeded bound of 1048. The call path traverses rtnetlink_rcv_msg, netlink_rcv_skb, and netlink_unicast before failing.
The issue is categorized as a kernel resource handling defect [CWE-noinfo]. While the public iproute2 utility limits group size and cannot directly reproduce the condition, custom netlink clients can construct larger groups and trigger the failure.
Root Cause
The root cause is the use of a hardcoded buffer size that does not scale with the actual response payload. The fix replaces the static NLMSG_GOODSIZE allocation with a dynamic calculation using nh_nlmsg_size() and nlmsg_new(). This aligns rtm_get_nexthop() behavior with the existing nexthop_notify() function. The patch also adjusts nh_nlmsg_size_grp() to compute size based on passed flags and adds the missing NHA_FDB attribute size to the group size calculation.
Attack Vector
Exploitation requires local access and the ability to send netlink messages to the kernel. An attacker with CAP_NET_ADMIN or sufficient privileges to interact with the routing netlink interface can craft a request targeting a large nexthop group. The result is a kernel warning splat and disruption of nexthop query functionality, impacting availability of routing management operations.
The vulnerability does not expose memory contents or allow code execution. Impact is limited to availability of the nexthop subsystem.
Detection Methods for CVE-2026-31531
Indicators of Compromise
- Kernel warning messages referencing rtm_get_nexthop+0x176/0x1c0 in dmesg or /var/log/kern.log
- Netlink errors containing addattr_l ERROR: message exceeded bound of 1048
- Repeated failed RTM_GETNEXTHOP requests from non-administrative processes
Detection Strategies
- Monitor kernel logs for WARNING entries originating from net/ipv4/nexthop.c
- Audit running kernel versions across Linux fleets against patched stable releases
- Track netlink socket activity for processes issuing RTM_GETNEXTHOP against large nexthop groups
Monitoring Recommendations
- Enable kernel audit rules to capture netlink syscalls from unprivileged users
- Forward kernel ring buffer messages to a centralized logging platform for correlation
- Alert on unexpected WARN_ON traces in the network stack across production hosts
How to Mitigate CVE-2026-31531
Immediate Actions Required
- Inventory all Linux hosts running affected kernel versions, including 7.0 release candidates
- Apply the upstream stable kernel patches referenced by the Linux maintainers
- Restrict netlink access to trusted administrative accounts where feasible
- Validate that monitoring tools are capturing kernel warning splats
Patch Information
The Linux kernel maintainers have released fixes across multiple stable branches. Apply the patches identified by commits 14cf0cd, 40bd39e, 615517f, and 635038fe. The fix replaces the fixed-size allocation with a dynamic size computed via nh_nlmsg_size() and adds the missing NHA_FDB attribute size to group calculations.
Workarounds
- Limit creation of large nexthop groups exceeding several hundred entries until patches are deployed
- Constrain CAP_NET_ADMIN capability assignment to required service accounts
- Use kernel lockdown or seccomp filters to restrict netlink usage in untrusted contexts
# Verify current kernel version and check against patched releases
uname -r
# Audit nexthop group sizes currently configured
ip nexthop show | awk '/group/ {print $0}' | wc -l
# Restrict CAP_NET_ADMIN to required users via systemd unit
# AmbientCapabilities=
# CapabilityBoundingSet=~CAP_NET_ADMIN
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
