External risk intelligence

Linux kernel bridge could allow external attacker to cause a system crash.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-31682

A flaw in the Linux kernel network bridge could allow an external attacker to send malicious data, causing a system crash or exposing sensitive information. This poses a risk to business operations by enabling service outages and potential data leaks.

1Halo Surface Signal

Linux Kernel

4.15 to before 5.10.2535.11 to before 5.15.2035.16 to before 6.1.1686.2 to before 6.6.1346.7 to before 6.12.816.13 to before 6.18.226.19 to before 6.19.127.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-31682

The vulnerability exists in the Linux kernel bridge's handling of local network Neighbor Discovery traffic. It requires an attacker to have access to the same local network segment to send the necessary crafted packets. This is a link-layer operation that is not routable across the public internet, making the attack surface local-only and not directly exposed.

Horizon Alert

Summary of the vulnerability and why it matters

This Linux kernel vulnerability could allow an unauthenticated attacker to crash systems or potentially gain elevated privileges. The issue lies in how the bridge component handles certain network traffic, leading to memory corruption when processing specific data. This is a serious concern for any system running the affected Linux kernel versions.

Could lead to system crashes.
May allow unauthorized privilege escalation.
Impacts systems using the Linux kernel bridge.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this flaw to trigger a denial of service or potentially execute arbitrary code by sending specially crafted network packets. This leverages a weakness in how the Linux kernel's network bridge processes Neighbor Discovery (ND) options, allowing for out-of-bounds reads when these options are not in a linear buffer. This could be abused by an unauthenticated attacker on the same network segment.

Requires network access.
Targets network bridge parsing.
Exploits non-linear data.

Live Threat

Current exploitation, exposure, and threat context

This Linux kernel vulnerability in bridge Neighbor Discovery parsing has a limited threat picture due to its localized attack vector. Attackers would need to be on the same local network segment to exploit this, making it unsuitable for broad internet-facing attacks. The focus on local network operations inherently restricts its appeal for widespread weaponization.

Local network attack required.
No public exploit observed.
Not listed as KEV.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize updating the Linux kernel to address the Neighbor Discovery option parsing vulnerability. If immediate patching is not feasible, implement network segmentation and intensive monitoring to detect or block malicious NDP traffic. Inventory all affected systems to understand the scope of exposure.

Update Linux kernel to patched version.
Isolate vulnerable systems if patching is delayed.
Monitor network traffic for malicious NDP packets.

Frequently asked questions

What is the vulnerability in the Linux kernel bridge related to Neighbor Discovery options?

The Linux kernel bridge has a vulnerability where the br_nd_send function parses Neighbor Discovery (ND) options assuming they are in the linear part of the skb. However, callers only guarantee the ICMPv6 header and target address are available, meaning the option area can be non-linear. This can lead to parsing outside the linear buffer, causing potential memory corruption.

What weakness class does the Linux kernel bridge vulnerability fall under?

This vulnerability is an out-of-bounds read, which falls under the weakness class of buffer over-read. It occurs because the code attempts to access data beyond the allocated buffer when parsing Neighbor Discovery options that are not in a linear format.

How can the Linux kernel bridge vulnerability be triggered, and what is the scope of negation?

The vulnerability is triggered when specially crafted Neighbor Discovery options are present in a non-linear part of the skb. The parsing function `br_nd_send` incorrectly assumes linearity. The scope is negated in the sense that an attacker needs to be on the same local network segment to send these crafted packets, rather than being able to exploit it directly over the public internet.

What is the relevance of the Linux kernel bridge vulnerability in the context of threat advisories?

This Linux kernel bridge vulnerability is considered to have a limited threat picture because exploitation requires an attacker to be on the same local network segment. This local attack vector makes it unsuitable for widespread internet-facing attacks and means it is not typically a focus for broad threat advisories. No public exploits have been observed, and it is not listed as a Known Exploited Vulnerability (KEV).

What practical steps should be taken to address the Linux kernel bridge vulnerability?

The primary practical step is to update the Linux kernel to a patched version that resolves the Neighbor Discovery option parsing issue. If immediate patching is not possible, implementing network segmentation and closely monitoring network traffic for malicious Neighbor Discovery Protocol (NDP) packets can help mitigate the risk. It is also crucial to identify and inventory all affected systems to understand the scope of exposure.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.