The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-31674

CVE-2026-31674: Linux Kernel Netfilter DoS Vulnerability

CVE-2026-31674 is a denial of service flaw in the Linux kernel netfilter ip6t_rt component that could allow attackers to trigger system instability. This article covers technical details, affected versions, and mitigation.

Published: April 30, 2026

CVE-2026-31674 Overview

A vulnerability has been identified in the Linux kernel's netfilter subsystem, specifically in the ip6t_rt module responsible for matching IPv6 routing header extensions. The flaw exists in the rt_mt6_check() function which fails to properly validate the addrnr parameter against the IP6T_RT_HOPS boundary limit. This allows a local attacker with limited privileges to install malformed routing match rules that can trigger out-of-bounds memory access when the rt_mt6() function processes the rule, potentially leading to information disclosure or denial of service.

Critical Impact

Local attackers can exploit this vulnerability to read sensitive kernel memory or cause system crashes through crafted netfilter rules with oversized address number values.

Affected Products

  • Linux Kernel (multiple stable versions)
  • Systems using ip6tables with IPv6 routing header matching
  • Network appliances and servers running affected kernel versions

Discovery Timeline

  • 2026-04-25 - CVE CVE-2026-31674 published to NVD
  • 2026-04-27 - Last updated in NVD database

Technical Details for CVE-2026-31674

Vulnerability Analysis

The vulnerability resides in the IPv6 routing header match extension (ip6t_rt) within the Linux kernel's netfilter framework. When a user configures ip6tables rules to match IPv6 routing headers, the kernel module stores configuration data in a structure that includes an addrnr field specifying the number of addresses to match.

The core issue is that the rt_mt6_check() function, which validates match rules during installation, does not verify that addrnr falls within the bounds defined by IP6T_RT_HOPS. The rtinfo->addrs[] array has a fixed size, but without proper validation, an attacker can specify an addrnr value exceeding this array's bounds.

When the match function rt_mt6() subsequently processes network packets against these malformed rules, it iterates based on the unchecked addrnr value, causing out-of-bounds array access. This can result in reading kernel memory beyond the allocated buffer (information disclosure) or triggering memory access violations that crash the system (denial of service).

Root Cause

The root cause is missing input validation in the rt_mt6_check() function. The function fails to enforce that user-supplied addrnr values remain within the IP6T_RT_HOPS constant boundary, which defines the maximum size of the addrs[] array in the routing match info structure. This is a classic boundary condition error where user-controlled input is trusted without verification before being used to index into fixed-size arrays.

Attack Vector

Exploitation requires local access with the ability to configure netfilter/ip6tables rules, typically requiring CAP_NET_ADMIN capability or root privileges. An attacker would craft an ip6tables rule with a routing header match (-m rt) specifying an addrnr value larger than IP6T_RT_HOPS. When this rule is installed, the kernel accepts it without validation. Subsequently, when IPv6 packets are processed against this rule, the kernel reads beyond the bounds of the addresses array.

The attack is performed locally and does not require user interaction. While it requires elevated privileges to configure netfilter rules, in containerized environments or systems with delegated network administration, this boundary may be crossed by semi-trusted users.

Detection Methods for CVE-2026-31674

Indicators of Compromise

  • Unexpected kernel crashes or panics with stack traces referencing rt_mt6 or ip6t_rt modules
  • System logs showing memory access violations in netfilter-related kernel code
  • Unusual ip6tables rules with routing header match parameters containing abnormally high address count values
  • Kernel oops messages indicating out-of-bounds access in the netfilter subsystem

Detection Strategies

  • Monitor kernel logs (dmesg, /var/log/kern.log) for BUG, WARNING, or OOPS messages referencing the ip6t_rt module
  • Audit ip6tables configurations for routing header match rules (-m rt) with suspicious --rt-segsleft or address parameters
  • Deploy kernel integrity monitoring to detect abnormal netfilter module behavior
  • Implement audit rules to log all ip6tables configuration changes with user attribution

Monitoring Recommendations

  • Enable kernel auditing for network administration capability usage (CAP_NET_ADMIN)
  • Configure centralized logging for all systems to capture kernel-level events
  • Implement automated alerting for kernel panic or crash events
  • Use SentinelOne's Linux agent to monitor for suspicious netfilter configuration activities

How to Mitigate CVE-2026-31674

Immediate Actions Required

  • Update the Linux kernel to a patched version that includes the addrnr bounds checking fix
  • Restrict access to ip6tables configuration to only trusted administrators
  • Review existing ip6tables rules for any malformed routing header matches
  • Consider temporarily disabling IPv6 routing header matching if not required for operations

Patch Information

The Linux kernel maintainers have released patches across multiple stable kernel branches to address this vulnerability. The fix adds proper validation in rt_mt6_check() to reject match rules where addrnr exceeds IP6T_RT_HOPS.

Patches are available through the following kernel commits:

  • Kernel Commit 13e3e30
  • Kernel Commit 29ea965
  • Kernel Commit 9d3f027
  • Kernel Commit a28ebf6
  • Kernel Commit af9b7e2
  • Kernel Commit c6a503a
  • Kernel Commit d8795fd
  • Kernel Commit ded71f5

Organizations should apply the appropriate patch for their kernel version through their Linux distribution's package manager.

Workarounds

  • Unload the ip6t_rt kernel module if IPv6 routing header matching is not required: modprobe -r ip6t_rt
  • Add the module to a blacklist to prevent automatic loading: add blacklist ip6t_rt to /etc/modprobe.d/blacklist.conf
  • Restrict access to network namespace and netfilter configuration capabilities in container environments
  • Implement strict access controls limiting which users can modify iptables/ip6tables rules
bash
# Unload the vulnerable module if not in use
sudo modprobe -r ip6t_rt

# Blacklist the module to prevent automatic loading
echo "blacklist ip6t_rt" | sudo tee /etc/modprobe.d/blacklist-ip6t_rt.conf

# Verify the module is not loaded
lsmod | grep ip6t_rt

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechLinux Kernel
  • SeverityHIGH
  • CVSS Score7.1
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • Technical References
  • Kernel Commit 13e3e30
  • Kernel Commit 29ea965
  • Kernel Commit 9d3f027
  • Kernel Commit a28ebf6
  • Kernel Commit af9b7e2
  • Kernel Commit c6a503a
  • Kernel Commit d8795fd
  • Kernel Commit ded71f5
  • Related CVEs
  • CVE-2026-31739: Linux Kernel Tegra Crypto DoS Vulnerability
  • CVE-2026-43054: Linux Kernel tcm_loop DOS Vulnerability
  • CVE-2026-31736: Linux Kernel MTK PPE DoS Vulnerability
  • CVE-2026-31727: Linux Kernel USB Gadget DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English