CVE-2026-31752 Overview
CVE-2026-31752 is a Linux kernel vulnerability in the bridge subsystem's Neighbor Discovery (ND) handling code. The flaw resides in the br_nd_send() function, which walks ND options based on lengths supplied within the options themselves. A malformed ND option can cause the parser to advance beyond the computed option span or read a source link-layer address (LLADDR) option whose payload is too short to hold an Ethernet address. The fix validates option lengths against the remaining Neighbor Solicitation (NS) option area before advancing and only reads the source LLADDR when the option size is sufficient.
Critical Impact
A local attacker with low privileges can trigger out-of-bounds memory access in the kernel bridge code, leading to a denial-of-service condition that disrupts kernel availability.
Affected Products
- Linux Kernel (multiple stable branches prior to the patched commits)
- Linux Kernel 7.0-rc1 through 7.0-rc6 release candidates
- Systems using the Linux bridge module with IPv6 Neighbor Discovery enabled
Discovery Timeline
- 2026-05-01 - CVE-2026-31752 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31752
Vulnerability Analysis
The vulnerability exists in br_nd_send(), a Linux kernel bridge function that constructs and processes IPv6 Neighbor Discovery messages. ND options follow a Type-Length-Value (TLV) layout where each option declares its own length in 8-byte units. The original implementation trusted these option-provided lengths without confirming they fit within the remaining option buffer.
A crafted ND packet containing malformed option lengths can cause the parser to advance past the end of the valid NS option area. Additionally, the parser could read source LLADDR option payloads that were shorter than the six bytes required for an Ethernet address. Both behaviors result in out-of-bounds memory reads inside kernel space.
The issue is categorized as a kernel input validation flaw [CWE-NVD-noinfo] affecting availability. With an EPSS score of 0.032%, active exploitation probability is currently low, but kernel-resident parsing flaws remain attractive targets.
Root Cause
The root cause is missing bounds validation in the ND option walker. The function advanced its cursor by the value of the option's length field without checking it against the remaining bytes in the option area. It also dereferenced the source LLADDR payload without confirming the option was large enough to contain a full Ethernet hardware address.
Attack Vector
Exploitation requires local access with low privileges to a system where the Linux bridge module processes IPv6 Neighbor Discovery traffic. An attacker injects a malformed Neighbor Solicitation frame with crafted option length fields onto a bridged interface. When br_nd_send() parses the frame, the malformed option triggers reads beyond the valid buffer, potentially crashing the kernel.
Review the upstream patch series at the Kernel Git Commit 259466f and the Kernel Git Commit ee02d8 for the exact validation checks introduced.
// No verified public exploit code is available for this CVE.
// See upstream stable kernel commits for the validation logic added to br_nd_send().
Detection Methods for CVE-2026-31752
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing br_nd_send or the bridge module in dmesg output
- KASAN (Kernel Address Sanitizer) reports indicating out-of-bounds reads within the bridge ND handling code paths
- Repeated crashes on hosts running the bridge module with IPv6 Neighbor Discovery traffic from untrusted sources
Detection Strategies
- Monitor kernel logs for bridge-related stack traces and crash signatures originating from ND option parsing
- Inspect bridged network traffic for malformed ND options where the declared length exceeds the remaining option buffer
- Correlate kernel availability events with packet captures on bridge interfaces to identify malicious NS frames
Monitoring Recommendations
- Enable persistent kernel log forwarding to a centralized log aggregation platform for retention and search
- Track installed kernel versions across the fleet and flag hosts running unpatched kernels exposed to untrusted IPv6 segments
- Alert on abnormal reboot patterns or systemd service restarts that correlate with bridge module load events
How to Mitigate CVE-2026-31752
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the eight stable Git commits published by kernel.org
- Restrict access to bridge interfaces by removing untrusted endpoints from bridges that process IPv6 ND traffic
- Prioritize patching on multi-tenant hosts, virtualization servers, and container platforms where local untrusted users coexist with the bridge module
Patch Information
The Linux kernel maintainers released fixes across multiple stable branches. The patches add length validation against the remaining NS option area before advancing the parser cursor and gate the source LLADDR read on a minimum option size sufficient for an Ethernet address. Relevant references include the Kernel Git Commit 82a42e, Kernel Git Commit 837392, Kernel Git Commit 850837, Kernel Git Commit c49b92, Kernel Git Commit e0bfd6, and Kernel Git Commit e71303. Distribution vendors will integrate these commits into stable kernel package updates.
Workarounds
- Unload the bridge module on systems that do not require it using modprobe -r bridge and blacklist it in /etc/modprobe.d/
- Disable IPv6 on bridged interfaces where ND processing is not required for operational use cases
- Apply nftables or ebtables rules to drop malformed ND packets at the bridge layer until kernel updates can be deployed
# Example: blacklist the bridge module if not in use
echo "blacklist bridge" | sudo tee /etc/modprobe.d/disable-bridge.conf
sudo modprobe -r bridge
# Verify current kernel version after patching
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
