CVE-2026-31738 Overview
CVE-2026-31738 is a Linux kernel vulnerability in the VXLAN (Virtual Extensible LAN) driver. The flaw resides in the vxlan_na_create() function, which processes Neighbor Discovery (ND) options based on lengths supplied within the option itself. A malformed option can cause the parser to advance beyond the computed option span or read a source link-layer address (LLADDR) option payload that is too short to contain a valid Ethernet address.
The vulnerability affects Linux kernel builds that include VXLAN support and can be triggered by a local attacker with low privileges. Exploitation impacts system availability through kernel-side memory access errors.
Critical Impact
A local attacker with low privileges can trigger out-of-bounds reads in the Linux kernel VXLAN driver, leading to denial of service through kernel instability.
Affected Products
- Linux Kernel (multiple stable branches as referenced by upstream commits)
- Linux Kernel 3.14 release and 3.14-rc8
- Linux Kernel 7.0 release candidates rc1 through rc6
Discovery Timeline
- 2026-05-01 - CVE-2026-31738 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31738
Vulnerability Analysis
The defect lies in vxlan_na_create(), a function that constructs Neighbor Advertisement (NA) responses based on incoming Neighbor Solicitation (NS) packets in IPv6 environments tunneled over VXLAN. The function iterates through ND options using the length field embedded in each option header. This length is attacker-influenced and was not previously validated against the remaining option area boundary.
When a malformed ND option declares a length larger than the actual remaining buffer, the parser advances past the legitimate option span and reads adjacent kernel memory. Additionally, when the source LLADDR option is present but truncated, the function reads an Ethernet address from a payload smaller than six bytes. Both behaviors result in out-of-bounds reads within kernel space.
Root Cause
The root cause is missing input validation on protocol-supplied length fields, classified under [CWE-noinfo] by NVD. The original loop trusted the option-provided length and copied or dereferenced data without confirming sufficient remaining bytes in the NS option area. The patch adds explicit bounds checks before each advance and gates LLADDR reads on a minimum option size matching ETH_ALEN.
Attack Vector
Exploitation requires local access with low privileges to send crafted IPv6 Neighbor Solicitation traffic through a VXLAN interface. An attacker with the ability to inject packets onto a VXLAN-attached network namespace can construct a malformed NS message containing ND options with falsified length fields. When the kernel processes this packet through vxlan_na_create(), the resulting out-of-bounds read can panic the kernel or destabilize the host, producing high availability impact with no confidentiality or integrity loss per the published CVSS vector.
No public proof-of-concept exploit code is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-31738
Indicators of Compromise
- Unexpected kernel oops or panic entries in dmesg or /var/log/kern.log referencing vxlan_na_create or the vxlan module.
- Sudden network namespace or VXLAN interface failures coinciding with malformed IPv6 NS traffic on tunneled segments.
- KASAN (Kernel Address Sanitizer) reports of out-of-bounds reads in the VXLAN code path on instrumented kernels.
Detection Strategies
- Monitor kernel logs for crash signatures involving the VXLAN driver and IPv6 neighbor discovery functions.
- Inspect IPv6 NS packets traversing VXLAN tunnels for option length fields exceeding the remaining packet payload.
- Correlate host availability events with local user activity capable of crafting raw packets, such as processes with CAP_NET_RAW.
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) on hosts running VXLAN overlays to capture forensic data on kernel faults.
- Track running kernel versions across the fleet against the patched commits published on git.kernel.org.
- Audit which hosts run VXLAN interfaces and prioritize those for patch deployment and traffic monitoring.
How to Mitigate CVE-2026-31738
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the vendor advisory commits as soon as your distribution publishes updated packages.
- Restrict the CAP_NET_RAW and CAP_NET_ADMIN capabilities to trusted users only, reducing the population able to inject crafted NS packets.
- Inventory hosts running VXLAN tunnels, including container and Kubernetes nodes that depend on overlay networking.
Patch Information
The Linux kernel maintainers resolved this issue across multiple stable branches. The fix validates ND option lengths against the remaining NS option area before each advance and only reads the source LLADDR when the option is large enough to hold an Ethernet address. Reference commits include 901c1dd3bab2, e476745917a1, and eddfce70a6f3, among others published on git.kernel.org.
Workarounds
- Disable VXLAN interfaces on hosts that do not require overlay networking until the kernel is patched.
- Apply network policies that drop unexpected IPv6 Neighbor Solicitation traffic on VXLAN-attached segments.
- Restrict local user access on multi-tenant systems and remove unnecessary network capabilities from unprivileged accounts.
# Identify running kernel and VXLAN interfaces for patch planning
uname -r
ip -d link show type vxlan
# Temporarily remove a VXLAN interface if patching is delayed
sudo ip link set dev vxlan0 down
sudo ip link delete vxlan0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
