{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31411","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.087Z","datePublished":"2026-04-08T13:06:17.800Z","dateUpdated":"2026-05-11T22:08:11.432Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:08:11.432Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: fix crash due to unvalidated vcc pointer in sigd_send()\n\nReproducer available at [1].\n\nThe ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc\npointer from msg->vcc and uses it directly without any validation. This\npointer comes from userspace via sendmsg() and can be arbitrarily forged:\n\n    int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);\n    ioctl(fd, ATMSIGD_CTRL);  // become ATM signaling daemon\n    struct msghdr msg = { .msg_iov = &iov, ... };\n    *(unsigned long *)(buf + 4) = 0xdeadbeef;  // fake vcc pointer\n    sendmsg(fd, &msg, 0);  // kernel dereferences 0xdeadbeef\n\nIn normal operation, the kernel sends the vcc pointer to the signaling\ndaemon via sigd_enq() when processing operations like connect(), bind(),\nor listen(). The daemon is expected to return the same pointer when\nresponding. However, a malicious daemon can send arbitrary pointer values.\n\nFix this by introducing find_get_vcc() which validates the pointer by\nsearching through vcc_hash (similar to how sigd_close() iterates over\nall VCCs), and acquires a reference via sock_hold() if found.\n\nSince struct atm_vcc embeds struct sock as its first member, they share\nthe same lifetime. Therefore using sock_hold/sock_put is sufficient to\nkeep the vcc alive while it is being used.\n\nNote that there may be a race with sigd_close() which could mark the vcc\nwith various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.\nHowever, sock_hold() guarantees the memory remains valid, so this race\nonly affects the logical state, not memory safety.\n\n[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/atm/signaling.c"],"versions":[{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"c96549d07dfdd51aadf0722cfb40711574424840","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"1c8bda3df028d5e54134077dcd09f46ca8cfceb5","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"e3f80666c2739296c3b69a127300455c43aa1067","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"21c303fec138c002f90ed33bce60e807d53072bb","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"69d3f9ee5489e6e8b66defcfa226e91d82393297","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"440c9a5fc477a8ee259d8bf669531250b8398651","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"ae88a5d2f29b69819dc7b04086734439d074a643","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/atm/signaling.c"],"versions":[{"version":"2.6.12","status":"affected"},{"version":"0","lessThan":"2.6.12","status":"unaffected","versionType":"semver"},{"version":"5.10.252","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.202","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.165","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.128","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.75","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.14","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.4","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"5.10.252"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"5.15.202"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.1.165"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.6.128"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.12.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.18.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.19.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/c96549d07dfdd51aadf0722cfb40711574424840"},{"url":"https://git.kernel.org/stable/c/1c8bda3df028d5e54134077dcd09f46ca8cfceb5"},{"url":"https://git.kernel.org/stable/c/3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2"},{"url":"https://git.kernel.org/stable/c/e3f80666c2739296c3b69a127300455c43aa1067"},{"url":"https://git.kernel.org/stable/c/21c303fec138c002f90ed33bce60e807d53072bb"},{"url":"https://git.kernel.org/stable/c/69d3f9ee5489e6e8b66defcfa226e91d82393297"},{"url":"https://git.kernel.org/stable/c/440c9a5fc477a8ee259d8bf669531250b8398651"},{"url":"https://git.kernel.org/stable/c/ae88a5d2f29b69819dc7b04086734439d074a643"}],"title":"net: atm: fix crash due to unvalidated vcc pointer in sigd_send()","x_generator":{"engine":"bippy-1.2.0"}}}}