CVE-2026-31685 Overview
A critical vulnerability has been identified in the Linux kernel's netfilter subsystem, specifically in the ip6t_eui64 module. The eui64_mt6() function, responsible for deriving a modified EUI-64 identifier from the Ethernet source address and comparing it with the low 64 bits of the IPv6 source address, contains a flaw in its MAC header validation logic. The existing guard only rejects invalid MAC headers when par->fragoff != 0, allowing packets with par->fragoff == 0 to reach eth_hdr(skb) even when the MAC header is not valid. This can lead to undefined behavior and potential security impacts when processing malformed network packets.
Critical Impact
Remote attackers can exploit this vulnerability by sending specially crafted IPv6 packets with invalid MAC headers, potentially causing memory access violations, information disclosure, or system instability in affected Linux kernel systems.
Affected Products
- Linux kernel with netfilter ip6t_eui64 module enabled
- Systems using IPv6 with EUI-64 address matching rules
- Network appliances and servers running vulnerable kernel versions
Discovery Timeline
- 2026-04-25 - CVE CVE-2026-31685 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31685
Vulnerability Analysis
This vulnerability exists in the eui64_mt6() function within the ip6t_eui64 netfilter module. The function's purpose is to match IPv6 packets where the source address contains an EUI-64 identifier derived from the Ethernet source MAC address. However, the validation logic that ensures a valid MAC header exists before accessing it is incomplete.
The core issue lies in the conditional check that was intended to prevent access to invalid MAC headers. The original code only validated the MAC header when processing fragmented packets (par->fragoff != 0). For non-fragmented packets where par->fragoff == 0, the function proceeds to call eth_hdr(skb) without first verifying that the MAC header is valid. This can result in the function reading from an invalid memory location when the packet arrives without a proper Ethernet header, such as through certain tunnel interfaces or when the MAC header has been stripped.
The vulnerability is network-accessible, requires no authentication, and has no user interaction requirements, making it particularly dangerous in exposed network environments.
Root Cause
The root cause is an insufficient boundary condition check in the eui64_mt6() function. The original implementation incorrectly assumed that MAC header validation was only necessary for fragmented packets. The fix removes the par->fragoff != 0 condition, ensuring that all packets—regardless of their fragmentation status—are validated for a proper MAC header before the function attempts to access it via eth_hdr(skb).
Attack Vector
An attacker can exploit this vulnerability remotely over the network by sending specially crafted IPv6 packets to a system with the ip6t_eui64 netfilter rule active. The attack does not require any authentication or user interaction.
The attack scenario involves:
- Identifying a target system running a vulnerable Linux kernel with netfilter rules using the EUI-64 matching module
- Crafting IPv6 packets with par->fragoff == 0 (non-fragmented) but with an invalid or missing MAC header
- Sending these packets to the target, causing the kernel to access invalid memory when processing the packet through the EUI-64 matching function
The vulnerability can be triggered through packets arriving on interfaces where the MAC header may not be present or valid, such as certain tunnel configurations or when packets are injected through mechanisms that bypass normal Ethernet framing.
Detection Methods for CVE-2026-31685
Indicators of Compromise
- Kernel panic or oops messages referencing eui64_mt6 or ip6t_eui64 in system logs
- Unexpected system crashes or reboots on systems processing IPv6 traffic
- Unusual IPv6 traffic patterns targeting systems with EUI-64 netfilter rules
- Memory corruption indicators in kernel logs related to netfilter processing
Detection Strategies
- Monitor kernel logs for panics or warnings related to the ip6t_eui64 module using dmesg or syslog analysis
- Deploy network intrusion detection rules to identify malformed IPv6 packets with suspicious header configurations
- Implement kernel crash dump analysis to identify exploitation attempts
- Use kernel tracing tools (ftrace, eBPF) to monitor eui64_mt6() function calls and their return values
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture evidence of exploitation attempts
- Configure centralized logging for all kernel messages with severity level 4 (warning) or higher
- Implement network flow analysis to detect anomalous IPv6 traffic patterns
- Set up automated alerts for any kernel oops or panic events on critical systems
How to Mitigate CVE-2026-31685
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix for this vulnerability
- If patching is not immediately possible, consider temporarily disabling ip6tables rules using the EUI-64 match module
- Audit existing netfilter configurations to identify systems using ip6t_eui64 matching
- Implement network-level filtering to limit IPv6 traffic to trusted sources on critical systems
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix removes the par->fragoff != 0 condition, ensuring that packets with invalid MAC headers are rejected before accessing eth_hdr(skb) regardless of fragmentation status.
Patches are available through the following kernel git commits:
- Kernel Git Commit 288138418bef
- Kernel Git Commit 309ae3e9a51a
- Kernel Git Commit 807d6ee15804
- Kernel Git Commit 9eda5478746e
- Kernel Git Commit fdce0b3590f7
Apply the appropriate patch for your kernel version from the stable kernel releases.
Workarounds
- Remove or disable ip6tables rules that use the -m eui64 match until patches can be applied
- Use alternative IPv6 filtering methods that do not rely on EUI-64 address matching
- Implement network segmentation to reduce exposure of vulnerable systems to untrusted IPv6 traffic
- Deploy compensating controls at the network perimeter to filter potentially malicious IPv6 packets
# Check if EUI-64 rules are in use
ip6tables -L -v | grep eui64
# Temporarily remove EUI-64 rules (example)
ip6tables -D INPUT -m eui64 -j ACCEPT
# Verify kernel version
uname -r
# Check for available kernel updates
apt list --upgradable 2>/dev/null | grep linux-image || yum check-update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
