Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-31685 -- CVSS 9.4 Vulnerability Briefing

CVE-2026-31685 | CVSS 9.4 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-31685 is a validation flaw in the Linux kernel's netfilter subsystem, specifically within the ip6t_eui64 match module, where the kernel fails to reject packets with invalid Ethernet MAC headers before attempting to derive a modified EUI-64 identifier.

Technical Detail

The function eui64_mt6() in netfilter/ip6t_eui64.c constructs a modified EUI-64 address from the Ethernet source MAC header of incoming packets without first validating that the MAC header is present and well-formed for all packet types. An attacker capable of injecting or forwarding specially crafted packets through a system running an affected kernel with ip6t_eui64 rules active could trigger out-of-bounds memory access or undefined behavior, potentially leading to kernel memory corruption or a denial-of-service condition. The precise exploitability for privilege escalation or code execution depends on kernel configuration and memory layout, but the CVSS score of 9.4 indicates a high-severity impact assessment.

Exploitation Status

No known exploit exists for this vulnerability at this time. The exploit maturity is assessed as none, and CISA has not added this CVE to the Known Exploited Vulnerabilities catalog as of May 2, 2026. There is no public proof-of-concept code confirmed in open sources.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence.

What To Do

Apply the upstream Linux kernel patch that resolves this flaw by adding MAC header validation in eui64_mt6() before any header field access. Administrators running netfilter configurations that use ip6t_eui64 match rules should prioritize patching, particularly on systems exposed to untrusted network traffic. As a short-term workaround, removing or disabling ip6t_eui64-based netfilter rules eliminates the attack surface until a patched kernel can be deployed. Monitor vendor-specific advisories from major Linux distributions including Red Hat, Debian, Ubuntu, and SUSE for backported fixes and associated package versions. Detection can be aided by monitoring kernel logs for unexpected netfilter-related panics or memory fault messages on IPv6-enabled systems.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →