Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Linux kernel TIPC bc_ackers underflow on duplicate GRP_ACK_MSG

IdentifiersCVE-2026-31662CWE-191· Integer Underflow (Wrap or…

CVE-2026-31662 is an availability-impacting flaw in the Linux kernel's TIPC group messaging logic. In the GRP_ACK_MSG handling path inside tipc_group_proto_rcv(), the bc_ackers counter is decremented for every inbound group ACK, even if the same member has already acknowledged the current broadcast round. Because bc_ackers is a u16, receipt of a duplicate ACK after the final legitimate ACK can cause the counter to underflow and wrap to 65535. After this wraparound, tipc_group_bc_cong() continues to report broadcast congestion, causing subsequent group broadcasts on the affected socket to remain blocked until the group is recreated. The fix makes ACK processing idempotent by ignoring duplicate or stale ACKs before updating bc_acked or bc_ackers.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes a persistent denial of service against TIPC group broadcast on the affected socket. Once bc_ackers wraps, the kernel continues to believe the socket is congested, preventing later group broadcasts from progressing until the group is torn down and recreated. Available information indicates no confidentiality or integrity impact; the primary effect is high availability loss.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling TIPC where it is not required, preventing untrusted systems from sending TIPC traffic, and restricting network reachability to TIPC-capable nodes through segmentation and filtering. Because the issue is network-reachable and affects availability, limiting access to TIPC group messaging paths is the most practical interim mitigation until patched kernels are deployed.

Remediation

Patch, then assume compromise.

Apply a Linux kernel update that includes the TIPC fix for duplicate/stale GRP_ACK_MSG handling. The corrected code ignores duplicate or stale ACKs before modifying bc_acked or bc_ackers, preventing the u16 underflow and restoring idempotent ACK processing. Vendor-provided kernel updates from SUSE and other downstreams should be used where applicable.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

6 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-31662
NVD
nvd.nist.gov/vuln/detail/CVE-2026-31662
MITRE CWE · CWE-191
Integer Underflow (Wrap or Wraparound)
Patch
git.kernel.org/stable/c/1b6f13f626665cac67ba5a012765427680518711
Patch
git.kernel.org/stable/c/36ec4fdd6250dcd5e73eb09ea92ed92e9cc28412
Patch
git.kernel.org/stable/c/3bcf7aca63f0bcd679ae28e9b99823c608e59ce3
Patch
git.kernel.org/stable/c/48a5fe38772b6f039522469ee6131a67838221a8
Patch
git.kernel.org/stable/c/575faea557f1a184a5f09661bd47ebd3ef3769f8
Patch
git.kernel.org/stable/c/a2ea1ef0167d7a84730638d05c20ccdc421b14b6
Patch
git.kernel.org/stable/c/a7db57ccca21f5801609065473c89a38229ecb92
Patch
git.kernel.org/stable/c/e0bb732eaf77f9ac2f2638bdac9e39b81e0a9682