{"api_version":"1","generated_at":"2026-04-25T13:02:33+00:00","cve":"CVE-2026-31674","urls":{"html":"https://cve.report/CVE-2026-31674","api":"https://cve.report/api/cve/CVE-2026-31674.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31674","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31674"},"summary":{"title":"netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()\n\nReject rt match rules whose addrnr exceeds IP6T_RT_HOPS.\n\nrt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].\nValidate addrnr during rule installation so malformed rules are rejected\nbefore the match logic can use an out-of-range value.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-25 09:16:00","updated_at":"2026-04-25 09:16:00"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/d8795fde1f78669a87c87ac29fceab2f104daa8c","name":"https://git.kernel.org/stable/c/d8795fde1f78669a87c87ac29fceab2f104daa8c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ded71f5684df16fa645cca5bf4fe6b0cd8a46119","name":"https://git.kernel.org/stable/c/ded71f5684df16fa645cca5bf4fe6b0cd8a46119","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/29ea965a1353bc8303877422f79c8211e9ba9c55","name":"https://git.kernel.org/stable/c/29ea965a1353bc8303877422f79c8211e9ba9c55","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/13e3e30ed3b5b67cc1db2bd58a5d09b0f07debfa","name":"https://git.kernel.org/stable/c/13e3e30ed3b5b67cc1db2bd58a5d09b0f07debfa","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9d3f027327c2fa265f7f85ead41294792c3296ed","name":"https://git.kernel.org/stable/c/9d3f027327c2fa265f7f85ead41294792c3296ed","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a28ebf6f99de270d6338ccdc3b49f3e818f99b7b","name":"https://git.kernel.org/stable/c/a28ebf6f99de270d6338ccdc3b49f3e818f99b7b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/af9b7e2b765966457f4ec23be5bd34a141f89574","name":"https://git.kernel.org/stable/c/af9b7e2b765966457f4ec23be5bd34a141f89574","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c6a503a9f4debc654e3a6a7ca1f7fce6a9953c59","name":"https://git.kernel.org/stable/c/c6a503a9f4debc654e3a6a7ca1f7fce6a9953c59","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31674","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31674","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 13e3e30ed3b5b67cc1db2bd58a5d09b0f07debfa git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 af9b7e2b765966457f4ec23be5bd34a141f89574 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 29ea965a1353bc8303877422f79c8211e9ba9c55 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 c6a503a9f4debc654e3a6a7ca1f7fce6a9953c59 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ded71f5684df16fa645cca5bf4fe6b0cd8a46119 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 d8795fde1f78669a87c87ac29fceab2f104daa8c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 a28ebf6f99de270d6338ccdc3b49f3e818f99b7b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 9d3f027327c2fa265f7f85ead41294792c3296ed git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2.6.12","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 2.6.12 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.253 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.203 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.168 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.131 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.80 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.21 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.11 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/ipv6/netfilter/ip6t_rt.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"13e3e30ed3b5b67cc1db2bd58a5d09b0f07debfa","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"af9b7e2b765966457f4ec23be5bd34a141f89574","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"29ea965a1353bc8303877422f79c8211e9ba9c55","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"c6a503a9f4debc654e3a6a7ca1f7fce6a9953c59","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"ded71f5684df16fa645cca5bf4fe6b0cd8a46119","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"d8795fde1f78669a87c87ac29fceab2f104daa8c","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"a28ebf6f99de270d6338ccdc3b49f3e818f99b7b","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"9d3f027327c2fa265f7f85ead41294792c3296ed","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/ipv6/netfilter/ip6t_rt.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"2.6.12"},{"lessThan":"2.6.12","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.253","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.203","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.168","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.131","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.80","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.21","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.11","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.253","versionStartIncluding":"2.6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.203","versionStartIncluding":"2.6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.168","versionStartIncluding":"2.6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.131","versionStartIncluding":"2.6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.80","versionStartIncluding":"2.6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.21","versionStartIncluding":"2.6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.11","versionStartIncluding":"2.6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"2.6.12","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()\n\nReject rt match rules whose addrnr exceeds IP6T_RT_HOPS.\n\nrt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].\nValidate addrnr during rule installation so malformed rules are rejected\nbefore the match logic can use an out-of-range value."}],"providerMetadata":{"dateUpdated":"2026-04-25T08:46:50.180Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/13e3e30ed3b5b67cc1db2bd58a5d09b0f07debfa"},{"url":"https://git.kernel.org/stable/c/af9b7e2b765966457f4ec23be5bd34a141f89574"},{"url":"https://git.kernel.org/stable/c/29ea965a1353bc8303877422f79c8211e9ba9c55"},{"url":"https://git.kernel.org/stable/c/c6a503a9f4debc654e3a6a7ca1f7fce6a9953c59"},{"url":"https://git.kernel.org/stable/c/ded71f5684df16fa645cca5bf4fe6b0cd8a46119"},{"url":"https://git.kernel.org/stable/c/d8795fde1f78669a87c87ac29fceab2f104daa8c"},{"url":"https://git.kernel.org/stable/c/a28ebf6f99de270d6338ccdc3b49f3e818f99b7b"},{"url":"https://git.kernel.org/stable/c/9d3f027327c2fa265f7f85ead41294792c3296ed"}],"title":"netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31674","datePublished":"2026-04-25T08:46:50.180Z","dateReserved":"2026-03-09T15:48:24.130Z","dateUpdated":"2026-04-25T08:46:50.180Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-25 09:16:00","lastModifiedDate":"2026-04-25 09:16:00","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31674","Ordinal":"1","Title":"netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()","CVE":"CVE-2026-31674","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31674","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()\n\nReject rt match rules whose addrnr exceeds IP6T_RT_HOPS.\n\nrt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].\nValidate addrnr during rule installation so malformed rules are rejected\nbefore the match logic can use an out-of-range value.","Type":"Description","Title":"netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()"}]}}}