CVE-2026-31682

Name	CVE-2026-31682
Description	In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns from the linear network header.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4561-1, DSA-6238-1, DSA-6243-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
linux (PTS)	bullseye	5.10.223-1	vulnerable
	bullseye (security)	5.10.251-5	vulnerable
	bookworm	6.1.170-3	fixed
	bookworm (security)	6.1.172-1	fixed
	trixie	6.12.86-1	fixed
	trixie (security)	6.12.88-1	fixed
	forky, sid	7.0.7-1	fixed
linux-6.1 (PTS)	bullseye (security)	6.1.172-1~deb11u1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
linux	source	bookworm	6.1.170-1	DSA-6243-1
linux	source	trixie	6.12.85-1	DSA-6238-1
linux	source	(unstable)	6.19.12-1
linux-6.1	source	bullseye	6.1.170-1~deb11u1	DLA-4561-1

https://git.kernel.org/linus/a01aee7cafc575bb82f5529e8734e7052f9b16ea (7.0-rc7)