{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31503", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.105Z", "datePublished": "2026-04-22T13:54:23.221Z", "dateUpdated": "2026-05-11T22:10:00.326Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:10:00.326Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Fix wildcard bind conflict check when using hash2\n\nWhen binding a udp_sock to a local address and port, UDP uses\ntwo hashes (udptable->hash and udptable->hash2) for collision\ndetection. The current code switches to \"hash2\" when\nhslot->count > 10.\n\n\"hash2\" is keyed by local address and local port.\n\"hash\" is keyed by local port only.\n\nThe issue can be shown in the following bind sequence (pseudo code):\n\nbind(fd1, \"[fd00::1]:8888\")\nbind(fd2, \"[fd00::2]:8888\")\nbind(fd3, \"[fd00::3]:8888\")\nbind(fd4, \"[fd00::4]:8888\")\nbind(fd5, \"[fd00::5]:8888\")\nbind(fd6, \"[fd00::6]:8888\")\nbind(fd7, \"[fd00::7]:8888\")\nbind(fd8, \"[fd00::8]:8888\")\nbind(fd9, \"[fd00::9]:8888\")\nbind(fd10, \"[fd00::10]:8888\")\n\n/* Correctly return -EADDRINUSE because \"hash\" is used\n * instead of \"hash2\". udp_lib_lport_inuse() detects the\n * conflict.\n */\nbind(fail_fd, \"[::]:8888\")\n\n/* After one more socket is bound to \"[fd00::11]:8888\",\n * hslot->count exceeds 10 and \"hash2\" is used instead.\n */\nbind(fd11, \"[fd00::11]:8888\")\nbind(fail_fd, \"[::]:8888\") /* succeeds unexpectedly */\n\nThe same issue applies to the IPv4 wildcard address \"0.0.0.0\"\nand the IPv4-mapped wildcard address \"::ffff:0.0.0.0\". For\nexample, if there are existing sockets bound to\n\"192.168.1.[1-11]:8888\", then binding \"0.0.0.0:8888\" or\n\"[::ffff:0.0.0.0]:8888\" can also miss the conflict when\nhslot->count > 10.\n\nTCP inet_csk_get_port() already has the correct check in\ninet_use_bhash2_on_bind(). Rename it to\ninet_use_hash2_on_bind() and move it to inet_hashtables.h\nso udp.c can reuse it in this fix."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/inet_hashtables.h", "net/ipv4/inet_connection_sock.c", "net/ipv4/udp.c"], "versions": [{"version": "30fff9231fad757c061285e347b33c5149c2c2e4", "lessThan": "d6ace0dbcbb7fd285738bb87b42b71b01858c952", "status": "affected", "versionType": "git"}, {"version": "30fff9231fad757c061285e347b33c5149c2c2e4", "lessThan": "2297e38114316b26ae02f2d205c49b5511c5ed55", "status": "affected", "versionType": "git"}, {"version": "30fff9231fad757c061285e347b33c5149c2c2e4", "lessThan": "f1bed05a832ae79be5f7a105da56810eaa59a5f1", "status": "affected", "versionType": "git"}, {"version": "30fff9231fad757c061285e347b33c5149c2c2e4", "lessThan": "18d84c45def3671d5c89fbdd5d4ab8a3217fe4b4", "status": "affected", "versionType": "git"}, {"version": "30fff9231fad757c061285e347b33c5149c2c2e4", "lessThan": "0a360f7f73a06ac88f18917055fbcc79694252d7", "status": "affected", "versionType": "git"}, {"version": "30fff9231fad757c061285e347b33c5149c2c2e4", "lessThan": "e537dd15d0d4ad989d56a1021290f0c674dd8b28", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/inet_hashtables.h", "net/ipv4/inet_connection_sock.c", "net/ipv4/udp.c"], "versions": [{"version": "2.6.33", "status": "affected"}, {"version": "0", "lessThan": "2.6.33", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.33", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.33", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.33", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.33", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.33", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.33", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d6ace0dbcbb7fd285738bb87b42b71b01858c952"}, {"url": "https://git.kernel.org/stable/c/2297e38114316b26ae02f2d205c49b5511c5ed55"}, {"url": "https://git.kernel.org/stable/c/f1bed05a832ae79be5f7a105da56810eaa59a5f1"}, {"url": "https://git.kernel.org/stable/c/18d84c45def3671d5c89fbdd5d4ab8a3217fe4b4"}, {"url": "https://git.kernel.org/stable/c/0a360f7f73a06ac88f18917055fbcc79694252d7"}, {"url": "https://git.kernel.org/stable/c/e537dd15d0d4ad989d56a1021290f0c674dd8b28"}], "title": "udp: Fix wildcard bind conflict check when using hash2", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8311CDFC-9254-42F8-B327-8390CCD33713", "versionEndExcluding": "6.1.168", "versionStartIncluding": "2.6.33.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F", "versionEndExcluding": "6.6.131", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.33:-:*:*:*:*:*:*", "matchCriteriaId": "EF818826-D9F2-42F9-9638-9609513561A3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Fix wildcard bind conflict check when using hash2\n\nWhen binding a udp_sock to a local address and port, UDP uses\ntwo hashes (udptable->hash and udptable->hash2) for collision\ndetection. The current code switches to \"hash2\" when\nhslot->count > 10.\n\n\"hash2\" is keyed by local address and local port.\n\"hash\" is keyed by local port only.\n\nThe issue can be shown in the following bind sequence (pseudo code):\n\nbind(fd1, \"[fd00::1]:8888\")\nbind(fd2, \"[fd00::2]:8888\")\nbind(fd3, \"[fd00::3]:8888\")\nbind(fd4, \"[fd00::4]:8888\")\nbind(fd5, \"[fd00::5]:8888\")\nbind(fd6, \"[fd00::6]:8888\")\nbind(fd7, \"[fd00::7]:8888\")\nbind(fd8, \"[fd00::8]:8888\")\nbind(fd9, \"[fd00::9]:8888\")\nbind(fd10, \"[fd00::10]:8888\")\n\n/* Correctly return -EADDRINUSE because \"hash\" is used\n * instead of \"hash2\". udp_lib_lport_inuse() detects the\n * conflict.\n */\nbind(fail_fd, \"[::]:8888\")\n\n/* After one more socket is bound to \"[fd00::11]:8888\",\n * hslot->count exceeds 10 and \"hash2\" is used instead.\n */\nbind(fd11, \"[fd00::11]:8888\")\nbind(fail_fd, \"[::]:8888\") /* succeeds unexpectedly */\n\nThe same issue applies to the IPv4 wildcard address \"0.0.0.0\"\nand the IPv4-mapped wildcard address \"::ffff:0.0.0.0\". For\nexample, if there are existing sockets bound to\n\"192.168.1.[1-11]:8888\", then binding \"0.0.0.0:8888\" or\n\"[::ffff:0.0.0.0]:8888\" can also miss the conflict when\nhslot->count > 10.\n\nTCP inet_csk_get_port() already has the correct check in\ninet_use_bhash2_on_bind(). Rename it to\ninet_use_hash2_on_bind() and move it to inet_hashtables.h\nso udp.c can reuse it in this fix."}], "id": "CVE-2026-31503", "lastModified": "2026-04-28T15:07:47.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-22T14:16:48.863", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0a360f7f73a06ac88f18917055fbcc79694252d7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/18d84c45def3671d5c89fbdd5d4ab8a3217fe4b4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2297e38114316b26ae02f2d205c49b5511c5ed55"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d6ace0dbcbb7fd285738bb87b42b71b01858c952"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e537dd15d0d4ad989d56a1021290f0c674dd8b28"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f1bed05a832ae79be5f7a105da56810eaa59a5f1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: udp: Fix wildcard bind conflict check when using hash2", "id": "2460736", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460736"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-253", "details": ["A flaw was found in the Linux kernel's User Datagram Protocol (UDP) implementation. When a significant number of UDP sockets are bound to specific local addresses on the same port, the kernel's conflict detection mechanism can fail. This allows a local attacker to bind to a wildcard address on a port that should already be in use, potentially leading to a Denial of Service (DoS) for legitimate applications attempting to use that port."], "name": "CVE-2026-31503", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31503\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31503\nhttps://lore.kernel.org/linux-cve-announce/2026042206-CVE-2026-31503-602a@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[30fff9231fad757c061285e347b33c5149c2c2e4,d6ace0dbcbb7fd285738bb87b42b71b01858c952)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[30fff9231fad757c061285e347b33c5149c2c2e4,2297e38114316b26ae02f2d205c49b5511c5ed55)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[30fff9231fad757c061285e347b33c5149c2c2e4,f1bed05a832ae79be5f7a105da56810eaa59a5f1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[30fff9231fad757c061285e347b33c5149c2c2e4,18d84c45def3671d5c89fbdd5d4ab8a3217fe4b4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[30fff9231fad757c061285e347b33c5149c2c2e4,0a360f7f73a06ac88f18917055fbcc79694252d7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[30fff9231fad757c061285e347b33c5149c2c2e4,e537dd15d0d4ad989d56a1021290f0c674dd8b28)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.33"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.33)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T00:02:18.771210+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the UDP binding hash2 conflict fix (see the kernel commit references provided).", "Reboot the system after the kernel update so all processes use the patched kernel. ", "Restart services that use UDP after the reboot so they re\u2011register sockets under the new binding logic."], "summary": {"action": "Patch", "impact": "Improper UDP port binding conflict detection"}, "threat_synthesis": {"affected_systems": "All versions of the Linux kernel that implement the described UDP binding logic are susceptible. The provided CPE data includes the generic Linux kernel and specific release candidates 2.6.33 and 7.0 RC1 through RC7. Any host running one of these kernel versions may experience the issue when more than ten sockets are bound to the same port under different addresses.\n", "description_and_impact": "The Linux kernel\u2019s UDP implementation maintains two hash tables for binding sockets: a primary hash keyed only by port and a secondary hash keyed by both local address and port. When more than ten sockets are bound to the same port, the kernel switches to the secondary hash. The bug arises because the conflict check for wildcard binds (e.g., \"[::]:port\" or \"0.0.0.0:port\") is not performed when the secondary hash is active, allowing a wildcard bind that should be refused to succeed. The defect applies to both IPv4 and IPv6 families, including IPv4\u2011mapped IPv6 addresses, and results in a port being bound unexpectedly by a wildcard socket, potentially disrupting service by misdirecting traffic intended for specific address bindings.\n\nThe flaw can be triggered locally on the host: any user with the ability to create sockets on the affected ports can repeatedly bind sockets under different addresses to bring the hash count above the threshold and then attempt a wildcard bind that succeeds when it should not. This local binding behavior does not grant remote code execution or privilege escalation.\n\nThe vulnerability is reflected in a CVSS score of 5.5 and an EPSS score of less than 1%, indicating a low probability of exploitation. It is not listed in the CISA KEV catalog. The primary risk is local denial of service, affecting port isolation on the host, and it is unlikely to be used as part of a broader attack.\n", "risk_and_exploitability": "The CVSS score of 5.5 places the flaw in a moderate severity range, while the EPSS score of less than 1% suggests a very low chance of widespread exploitation. Because the attack vector is local, any user capable of binding sockets below the privileged port range can trigger the bug. No remote exploitation path exists, and the flaw does not provide privilege escalation. Overall, the risk is moderate, largely limited to local service disruption.\n"}}}}, "created": "2026-04-22T18:00:05.277219+00:00", "updated": "2026-04-29T00:15:43.456548+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}