ACK: [SRU][Q][PATCH 0/1] CVE-2026-31405
Jian Hui Lee
jianhui.lee at canonical.com
Fri Jul 3 02:27:48 UTC 2026
Acked-by: Jian Hui Lee <jianhui.lee at canonical.com>
On Wed, Jun 24, 2026 at 8:32 AM Cengiz Can via kernel-team
<kernel-team at lists.ubuntu.com> wrote:
>
> https://ubuntu.com/security/CVE-2026-31405
>
> [ Impact ]
>
> The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in
> handle_one_ule_extension() of the dvb-net driver are declared with 255 elements
> (valid indices 0-254), but the index htype is derived from network-controlled
> data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals
> 255, an out-of-bounds read occurs on the function pointer table, and the OOB
> value may be called as a function pointer. As this index is controlled by
> network data, a remote attacker could trigger the out-of-bounds access,
> potentially leading to memory disclosure or arbitrary code execution.
>
> [ Fix ]
>
> questing: clean cherry-pick
>
> [ Test Plan ]
>
> Boot tested.
>
> [ Where Problems Could Occur ]
>
> A regression in this fix would affect the DVB network (dvb-net) subsystem's ULE
> decapsulation path; an incorrect bounds check could cause valid SNDUs to be
> wrongly discarded, breaking reception of MPE/ULE-encapsulated network traffic
> over DVB devices.
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list