HIGH
openvswitch MPLS Overflow
CVE-2026-31679
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: openvswitch: validate MPLS set/set_masked payload length validate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for SET/SET_MASKED actions. In action handling, OVS expects fixed-size MPLS key data (struct ovs_key_mpls). Use the already normalized key_len (masked case included) and reject non-matching MPLS action key sizes. Reject invalid MPLS action payload lengths early.
02KernelScan AI Analysis
Risk summary
OpenVSwitch fails to validate MPLS action payload lengths, allowing local attackers with CAP_NET_ADMIN (obtainable via unprivileged user namespaces) to trigger an out-of-bounds read. This can lead to information disclosure or kernel panic on systems using OpenVSwitch for network virtualization.
Vulnerability analysis
The validate_set() function accepted variable-sized MPLS key payloads without length validation, while action handling code expected fixed-size struct ovs_key_mpls data. This size mismatch causes an out-of-bounds read when processing malformed MPLS SET/SET_MASKED actions, potentially leaking kernel heap data or causing a page fault. The fix adds early length validation to reject non-matching payload sizes. Attack requires CAP_NET_ADMIN privileges, which are obtainable by unprivileged users via user namespaces on default kernels.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 68f32ef0683c |
| 5.15 | 5.15.203 | 4cae986225f8 |
| 6.1 | 6.1.168 | 8ed7b9930cbc |
| 6.12 | 6.12.80 | 98de18d327ef |
| 6.18 | 6.18.21 | bd50c7484c3b |
| 6.19 | 6.19.11 | 2ca33b88a79c |
| 6.6 | 6.6.131 | c1f97152df8d |
| mainline | 7.0 | 546b68ac8935 |