HIGH Published 2026-04-25

net/sched Netem OOB

CVE-2026-31675

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using this unconstrained value as an offset into skb->data results in an out-of-bounds memory access. Fix this by verifying skb_headlen(skb) is non-zero before attempting to corrupt the linear data area. Fully non-linear packets will silently bypass the corruption logic.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Systems using netem packet corruption for network testing are vulnerable to kernel memory corruption. An unprivileged user with access to user namespaces, or an administrator with CAP_NET_ADMIN, can trigger out-of-bounds memory access by sending specially crafted non-linear packets through netem-configured interfaces. This can lead to memory corruption or system crashes.

Affectednet/sched/sch_netem.c (network traffic control)

Vulnerability analysis

The netem packet scheduler's corruption feature fails to validate that packets have linear data before attempting to corrupt them. When skb_headlen() returns 0 for fully non-linear packets, get_random_u32_below(0) returns an unconstrained random value used as an array index, causing out-of-bounds memory access. The fix adds a simple bounds check to ensure corruption only occurs on packets with linear data. On default kernels with user namespaces enabled, an unprivileged local attacker can obtain CAP_NET_ADMIN within a new network namespace, configure netem with corruption enabled, and transmit AF_PACKET TX_RING packets over an IPIP tunnel to trigger the bug.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.81	`13a66ca1e235`
6.18	6.18.22	`3a2999704ac3`
6.19	6.19.12	`4fd258e281fa`
6.6	6.6.134	`a14b56863348`
mainline	7.0	`d64cb81dcbd5`