HOMEVULNERABILITIESCVE-2026-31503
MEDIUM

CVE-2026-31503

Published: April 22, 2026· Updated: Apr 28, 2026

5.5
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:6.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

udp: Fix wildcard bind conflict check when using hash2

When binding a udp_sock to a local address and port, UDP uses

two hashes (udptable->hash and udptable->hash2) for collision

detection. The current code switches to "hash2" when

hslot->count > 10.

"hash2" is keyed by local address and local port.

"hash" is keyed by local port only.

The issue can be shown in the following bind sequence (pseudo code):

bind(fd1, "[fd00::1]:8888")

bind(fd2, "[fd00::2]:8888")

bind(fd3, "[fd00::3]:8888")

bind(fd4, "[fd00::4]:8888")

bind(fd5, "[fd00::5]:8888")

bind(fd6, "[fd00::6]:8888")

bind(fd7, "[fd00::7]:8888")

bind(fd8, "[fd00::8]:8888")

bind(fd9, "[fd00::9]:8888")

bind(fd10, "[fd00::10]:8888")

/* Correctly return -EADDRINUSE because "hash" is used

* instead of "hash2". udp_lib_lport_inuse() detects the

* conflict.

*/

bind(fail_fd, "[::]:8888")

/* After one more socket is bound to "[fd00::11]:8888",

* hslot->count exceeds 10 and "hash2" is used instead.

*/

bind(fd11, "[fd00::11]:8888")

bind(fail_fd, "[::]:8888") /* succeeds unexpectedly */

The same issue applies to the IPv4 wildcard address "0.0.0.0"

and the IPv4-mapped wildcard address "::ffff:0.0.0.0". For

example, if there are existing sockets bound to

"192.168.1.[1-11]:8888", then binding "0.0.0.0:8888" or

"[::ffff:0.0.0.0]:8888" can also miss the conflict when

hslot->count > 10.

TCP inet_csk_get_port() already has the correct check in

inet_use_bhash2_on_bind(). Rename it to

inet_use_hash2_on_bind() and move it to inet_hashtables.h

so udp.c can reuse it in this fix.

NVD Source

Technical Analysis

CVE-2026-31503 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 5.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 3 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (6)

Quick Facts

CVE IDCVE-2026-31503
CVSS Score5.5 / 10
SeverityMEDIUM
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedApr 22, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31503 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.