CVE-2026-31675

net/sched: sch_netem: fix out-of-bounds access in packet corruption

Published: 4/25/2026 Last updated: 5/11/2026 Reserved: 3/9/2026

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using this unconstrained value as an offset into skb->data results in an out-of-bounds memory access. Fix this by verifying skb_headlen(skb) is non-zero before attempting to corrupt the linear data area. Fully non-linear packets will silently bypass the corruption logic.

CNA assigner: Linux (416baaa9-dc9f-4396-8d5f-8c081fb06d67) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	7.8	High	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Opam packages affected (29)

albatross cdrom conf-bpftool conf-libbpf conf-linux-libc-dev core core_unix hvsock mirage-block-unix mm ocaml-probes ortools_solvers orun rawlink rawlink-eio rawlink-lwt restricted shell solo5 solo5-bindings-hvt solo5-bindings-spt solo5-cross-aarch64 solo5-kernel-ukvm tracy-client tuntap uring vhd-format vhd-format-lwt xapi-stdext-unix

Products affected (4)

Product	Vendor	Version
Linux	Linux	9.0.0.6
Linux	Linux	DP300 ,V500R002C00 ,RP200 ,V600R006C00 ,TE30 ,V100R001C10 ,V500R002C00 ,V600R006C00 ,TE40 ,V500R002C00 ,V600R006C00 ,TE50 ,V500R002C00 ,V600R006C00 ,TE60 ,V100R001C10 ,V500R002C00 ,V600R006C00 ,TX50 ,V500R002C00 ,V600R006C00
Linux	Linux	7.5.0.0
Linux	Linux	7.5.0.16

CVE-2026-31675

net/sched: sch_netem: fix out-of-bounds access in packet corruption

Metrics

Opam packages affected (29)

Products affected (4)

References (10)