CRITICAL
bridge ND Options OOB
CVE-2026-31682
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
KernelScan AI7.9HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns from the linear network header.
02KernelScan AI Analysis
Risk summary
Network attackers can trigger an out-of-bounds read in the Linux bridge's IPv6 neighbor discovery processing by sending crafted packets with non-linear option data. This leaks limited adjacent kernel memory (potentially including slab pointers that weaken KASLR) and can cause a kernel panic when the read reaches unmapped pages.
Vulnerability analysis
The vulnerability occurs in br_nd_send(), which parses IPv6 neighbor discovery options from ns->opt[] assuming they reside in the linear part of the socket buffer. Callers only guarantee that the ICMPv6 header and target address are linear, leaving the option area potentially in non-linear (paged) fragments. When the code accesses ns->opt[] without linearizing the skb first, it reads past the linear buffer boundary into adjacent kernel memory. The fix linearizes the entire request buffer before option parsing and re-derives the ns pointer from the now-linear network header, ensuring all accessed data is within bounds.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | c68433fd291c |
| 5.15 | 5.15.203 | 4f397b950c91 |
| 6.1 | 6.1.168 | bd91ec85aa4c |
| 6.12 | 6.12.81 | 2ba4caba423e |
| 6.18 | 6.18.22 | 9c55e41c73af |
| 6.19 | 6.19.12 | 3a30f6469b05 |
| 6.6 | 6.6.134 | 658261898130 |
| mainline | 7.0 | a01aee7cafc5 |