Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Medium

Out-of-bounds read in Linux kernel VXLAN vxlan_na_create

IdentifiersCVE-2026-31738CWE-125

CVE-2026-31738 is a Linux kernel vulnerability in the VXLAN subsystem, specifically in vxlan_na_create(), which parses IPv6 Neighbor Discovery (ND) options while constructing a Neighbor Advertisement. The function walks ND options using attacker-controlled option length fields. If a malformed ND option is supplied, the parser can advance beyond the computed ND option span or attempt to consume a source link-layer address (LLADDR) option whose payload is too short for an Ethernet address. The fix adds validation that each option length fits within the remaining Neighbor Solicitation option area before advancing the parser, and ensures the source LLADDR is only read when the option is large enough. Based on the available description, this is a bounds-checking failure leading to out-of-bounds memory access during ND option parsing in VXLAN.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause the kernel to read beyond the intended ND option buffer boundaries or process undersized LLADDR data, which can destabilize the networking stack and lead to denial of service. Published scoring indicates the primary impact is availability, though SUSE also assigns confidentiality and integrity impact in its own scoring. The provided source material does not establish reliable evidence of code execution.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting local unprivileged access to systems that can reach or influence the vulnerable VXLAN/IPv6 Neighbor Discovery processing path, and disable or restrict unnecessary VXLAN usage where operationally feasible. Because the issue is in kernel packet parsing, there is no complete mitigation short of applying the fixed kernel.

Remediation

Patch, then assume compromise.

Apply a kernel update containing the vxlan_na_create() fix that validates ND option lengths against the remaining option area and verifies the source LLADDR option is large enough before reading it. SUSE indicates fixed packages are available across multiple product lines, including kernel-default 6.4.0-46.1 or later for SUSE Linux Micro 6.0/6.1, 6.12.0-160000.33.1 or later for SUSE Linux Micro 6.2/openSUSE Leap 16.0/SLES 16.0, and 6.4.0-150700.53.55.1 or later for SLES 15 SP7. Administrators should install the relevant vendor kernel update and reboot into the patched kernel.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

4 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-31738
NVD
nvd.nist.gov/vuln/detail/CVE-2026-31738
MITRE CWE · CWE-125
cwe.mitre.org
Patch
git.kernel.org/stable/c/2029712fb2c87e9a8c75094906f2ee29bf08c500
Patch
git.kernel.org/stable/c/602596c69a70e50d9ab8c6ae0290a01f88229dd7
Patch
git.kernel.org/stable/c/901c1dd3bab2955d7e664f914c374c8c3ac2b958
Patch
git.kernel.org/stable/c/afa9a05e6c4971bd5586f1b304e14d61fb3d9385
Patch
git.kernel.org/stable/c/b69c4236255bd8de16cd876e58c6f0867d1d78b1
Patch
git.kernel.org/stable/c/de20d2e3b9179d132f5f5b44e490d7c916c6321b
Patch
git.kernel.org/stable/c/e476745917a1e288eb15e7ff49d286a86a4861d3
Patch
git.kernel.org/stable/c/eddfce70a6f3107d1679b0c2fcbeb96b593bd679