CRITICAL
netfilter EUI64 Deref
CVE-2026-31685
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
KernelScan AI7.5HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address. The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid. Fix this by removing the `par->fragoff != 0` condition so that packets with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
02KernelScan AI Analysis
Risk summary
Remote attackers can cause kernel crashes by sending IPv6 packets to systems using netfilter eui64 match rules where the packet lacks a valid MAC header. The vulnerability allows denial of service attacks against IPv6-enabled systems with specific netfilter configurations.
Vulnerability analysis
The eui64_mt6() function in netfilter's IPv6 EUI-64 match module has a flawed guard condition that only validates MAC headers for fragmented packets (par->fragoff != 0). For non-fragmented packets, the function can access eth_hdr(skb) even when the MAC header is not valid, leading to an out-of-bounds read. The fix removes the fragmentation condition so all packets are properly validated before MAC header access. This is reachable via IPv6 packets processed by netfilter rules using the eui64 match module.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.83 | 9eda5478746e |
| 6.18 | 6.18.24 | 807d6ee15804 |
| 6.19 | 6.19.14 | 309ae3e9a51a |
| 6.6 | 6.6.136 | 288138418bef |
| mainline | 7.0 | fdce0b3590f7 |