The Linux kernel’s netfilter subsystem carried a bug in its connection tracking (conntrack) that allowed reads of kernel memory that should stay out of reach. Tracked as CVE-2026-31407, the flaw sits in how SCTP connections are handled through the netlink interface, and it was published on 6 April 2026.
Conntrack is the part of the kernel firewall that remembers the state of every connection: whether a packet belongs to an established session, whether it’s new, whether it’s related to another flow. For SCTP, that state includes a state field describing where the connection sits in its negotiation. The trouble is that nlattr_to_sctp(), in nf_conntrack_proto_sctp.c, copied the CTA_PROTOINFO_SCTP_STATE value coming in over netlink straight into ct->proto.sctp.state without first checking that the value falls inside the allowed range of SCTP states.
Since the sender of the netlink message controls that value, an out-of-range number can slip through. The kernel later uses that field as an index into internal tables, and a nonsensical index leads to accesses past the bounds of the buffer. The sanitizer tooling kernel developers run flagged reads of up to 5,600 bytes beyond a 320-byte object. That leaked memory can hold sensitive kernel data.
Who is affected and how serious it is
CVE-2026-31407 carries a CVSS score of 7.1 (high). The vector is local: AV:L/AC:L/PR:L/UI:N. You need local access and some privilege; this isn’t something you fire off from the open internet. What it gives an attacker is a kernel information leak, which is most useful as an intermediate step in a larger exploit chain (for example, to defeat mitigations like KASLR ahead of a privilege escalation).
The affected code has been around for a long time. Per the NVD record, the issue touches branches going back to old releases and reaches the modern series. NVD classifies the weakness as CWE-787 (out-of-bounds write/access), not merely a read, so treat it with care even though the observed effect is leaking memory.
Fixed versions
The fix adds the missing validation: the value received over netlink is now checked against the range of valid states before it is assigned. kernel.org shipped the correction across several commits over the maintained branches. Versions that already include it are, among others:
- 6.6.x series: from 6.6.136
- 6.12.x series: from 6.12.83
- 6.18.x series: from 6.18.24
The touched files are net/netfilter/nf_conntrack_netlink.c and net/netfilter/nf_conntrack_proto_sctp.c.
If you build your own kernel, move to a version that includes the patch. If you run a distribution, wait for your vendor’s kernel package update and apply it as soon as it lands; maintainers usually backport this kind of fix to their LTS branches. To understand the release life cycle of the community-maintained versions, see the Linux kernel page.