{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31662","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.129Z","datePublished":"2026-04-24T14:45:12.593Z","dateUpdated":"2026-05-11T22:13:09.670Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:13:09.670Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG\n\nThe GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements\nbc_ackers on every inbound group ACK, even when the same member has\nalready acknowledged the current broadcast round.\n\nBecause bc_ackers is a u16, a duplicate ACK received after the last\nlegitimate ACK wraps the counter to 65535. Once wrapped,\ntipc_group_bc_cong() keeps reporting congestion and later group\nbroadcasts on the affected socket stay blocked until the group is\nrecreated.\n\nFix this by ignoring duplicate or stale ACKs before touching bc_acked or\nbc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and\nprevents the underflow path."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/tipc/group.c"],"versions":[{"version":"2f487712b89376fce267223bbb0db93d393d4b09","lessThan":"a7db57ccca21f5801609065473c89a38229ecb92","status":"affected","versionType":"git"},{"version":"2f487712b89376fce267223bbb0db93d393d4b09","lessThan":"36ec4fdd6250dcd5e73eb09ea92ed92e9cc28412","status":"affected","versionType":"git"},{"version":"2f487712b89376fce267223bbb0db93d393d4b09","lessThan":"575faea557f1a184a5f09661bd47ebd3ef3769f8","status":"affected","versionType":"git"},{"version":"2f487712b89376fce267223bbb0db93d393d4b09","lessThan":"3bcf7aca63f0bcd679ae28e9b99823c608e59ce3","status":"affected","versionType":"git"},{"version":"2f487712b89376fce267223bbb0db93d393d4b09","lessThan":"a2ea1ef0167d7a84730638d05c20ccdc421b14b6","status":"affected","versionType":"git"},{"version":"2f487712b89376fce267223bbb0db93d393d4b09","lessThan":"1b6f13f626665cac67ba5a012765427680518711","status":"affected","versionType":"git"},{"version":"2f487712b89376fce267223bbb0db93d393d4b09","lessThan":"e0bb732eaf77f9ac2f2638bdac9e39b81e0a9682","status":"affected","versionType":"git"},{"version":"2f487712b89376fce267223bbb0db93d393d4b09","lessThan":"48a5fe38772b6f039522469ee6131a67838221a8","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/tipc/group.c"],"versions":[{"version":"4.15","status":"affected"},{"version":"0","lessThan":"4.15","status":"unaffected","versionType":"semver"},{"version":"5.10.253","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.169","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.135","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.82","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.23","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.13","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"5.10.253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.1.169"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.6.135"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.12.82"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.18.23"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.19.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a7db57ccca21f5801609065473c89a38229ecb92"},{"url":"https://git.kernel.org/stable/c/36ec4fdd6250dcd5e73eb09ea92ed92e9cc28412"},{"url":"https://git.kernel.org/stable/c/575faea557f1a184a5f09661bd47ebd3ef3769f8"},{"url":"https://git.kernel.org/stable/c/3bcf7aca63f0bcd679ae28e9b99823c608e59ce3"},{"url":"https://git.kernel.org/stable/c/a2ea1ef0167d7a84730638d05c20ccdc421b14b6"},{"url":"https://git.kernel.org/stable/c/1b6f13f626665cac67ba5a012765427680518711"},{"url":"https://git.kernel.org/stable/c/e0bb732eaf77f9ac2f2638bdac9e39b81e0a9682"},{"url":"https://git.kernel.org/stable/c/48a5fe38772b6f039522469ee6131a67838221a8"}],"title":"tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG","x_generator":{"engine":"bippy-1.2.0"}}}}