{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31418", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.087Z", "datePublished": "2026-04-13T13:21:05.316Z", "dateUpdated": "2026-04-13T13:21:05.316Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-13T13:21:05.316Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: drop logically empty buckets in mtype_del\n\nmtype_del() counts empty slots below n->pos in k, but it only drops the\nbucket when both n->pos and k are zero. This misses buckets whose live\nentries have all been removed while n->pos still points past deleted slots.\n\nTreat a bucket as empty when all positions below n->pos are unused and\nrelease it directly instead of shrinking it further."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/ipset/ip_set_hash_gen.h"], "versions": [{"version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66", "lessThan": "ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb", "status": "affected", "versionType": "git"}, {"version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66", "lessThan": "6cea34d7ec6829b62f521a37a287f670144a2233", "status": "affected", "versionType": "git"}, {"version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66", "lessThan": "b7eef00f08b92b0b9efe8ae0df6d0005e6199323", "status": "affected", "versionType": "git"}, {"version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66", "lessThan": "68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4", "status": "affected", "versionType": "git"}, {"version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66", "lessThan": "ceacaa76f221a6577aba945bb8873c2e640aeba4", "status": "affected", "versionType": "git"}, {"version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66", "lessThan": "9862ef9ab0a116c6dca98842aab7de13a252ae02", "status": "affected", "versionType": "git"}, {"version": "6c717726f341fd8f39a3ec2dcf5d98d9d28a2769", "status": "affected", "versionType": "git"}, {"version": "d2997d64dfa65082236bca1efd596b6c935daf5e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/ipset/ip_set_hash_gen.h"], "versions": [{"version": "5.6", "status": "affected"}, {"version": "0", "lessThan": "5.6", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.134", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.81", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.22", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.12", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.6.134"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.12.81"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.18.22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.19.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5.8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb"}, {"url": "https://git.kernel.org/stable/c/6cea34d7ec6829b62f521a37a287f670144a2233"}, {"url": "https://git.kernel.org/stable/c/b7eef00f08b92b0b9efe8ae0df6d0005e6199323"}, {"url": "https://git.kernel.org/stable/c/68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4"}, {"url": "https://git.kernel.org/stable/c/ceacaa76f221a6577aba945bb8873c2e640aeba4"}, {"url": "https://git.kernel.org/stable/c/9862ef9ab0a116c6dca98842aab7de13a252ae02"}], "title": "netfilter: ipset: drop logically empty buckets in mtype_del", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: drop logically empty buckets in mtype_del\n\nmtype_del() counts empty slots below n->pos in k, but it only drops the\nbucket when both n->pos and k are zero. This misses buckets whose live\nentries have all been removed while n->pos still points past deleted slots.\n\nTreat a bucket as empty when all positions below n->pos are unused and\nrelease it directly instead of shrinking it further."}], "id": "CVE-2026-31418", "lastModified": "2026-04-13T15:01:43.663", "metrics": {}, "published": "2026-04-13T14:16:11.267", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6cea34d7ec6829b62f521a37a287f670144a2233"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9862ef9ab0a116c6dca98842aab7de13a252ae02"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b7eef00f08b92b0b9efe8ae0df6d0005e6199323"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ceacaa76f221a6577aba945bb8873c2e640aeba4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: netfilter: ipset: drop logically empty buckets in mtype_del", "id": "2457831", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457831"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-31418", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31418\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31418\nhttps://lore.kernel.org/linux-cve-announce/2026041311-CVE-2026-31418-e6b9@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8af1c6fbd9239877998c7f5a591cb2c88d41fb66,ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8af1c6fbd9239877998c7f5a591cb2c88d41fb66,6cea34d7ec6829b62f521a37a287f670144a2233)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8af1c6fbd9239877998c7f5a591cb2c88d41fb66,b7eef00f08b92b0b9efe8ae0df6d0005e6199323)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8af1c6fbd9239877998c7f5a591cb2c88d41fb66,68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8af1c6fbd9239877998c7f5a591cb2c88d41fb66,ceacaa76f221a6577aba945bb8873c2e640aeba4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8af1c6fbd9239877998c7f5a591cb2c88d41fb66,9862ef9ab0a116c6dca98842aab7de13a252ae02)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "6c717726f341fd8f39a3ec2dcf5d98d9d28a2769"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "d2997d64dfa65082236bca1efd596b6c935daf5e"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.6"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,5.6)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.134,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.81,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.22,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.12,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-13T15:36:03.128816+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the patch correcting the ipset bucket deletion logic.", "Reboot the system to load the new kernel and ensure the patch takes effect.", "Verify that ipset commands operate normally and monitor system logs for abnormal memory usage or kernel crashes.", "If a kernel upgrade cannot be performed immediately, disable the ipset module or restrict its use until the patch is available."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel versions that include the netfilter ipset module and have not yet incorporated the commit that fixes the bucket release logic are affected. Users running older kernels on any distribution that ship an unpatched ipset implementation are susceptible to the potential resource exhaustion described.", "description_and_impact": "The Linux kernel\u2019s ipset subsystem contains a flaw in its bucket deletion logic, causing buckets that have become empty after all entries are removed to remain allocated. This results in wasted memory that can accumulate over time, potentially exhausting available memory and leading to kernel crashes or service interruptions.", "risk_and_exploitability": "The CVSS score and EPSS data are not provided, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploitation. Based on the description, the likely attack vector is local or privileged code that exercises the ipset bucket deletion path. An attacker could repeatedly trigger bucket deletions to consume memory or force a kernel panic, resulting in a denial\u2011of\u2011service condition. The overall risk is moderate to high for environments that heavily rely on ipset configurations and have not applied the patch."}}}}, "created": "2026-04-14T16:19:22.734500+00:00", "updated": "2026-04-14T16:34:30.475161+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-401", "CWE-399"]}