APPLIED[HWE-6.17]/Cmnt: [SRU][Q][PATCH 0/1] CVE-2026-31405

Stefan Bader stefan.bader at canonical.com
Tue Jul 14 13:23:21 UTC 2026


On 24/06/2026 02:32, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-31405
> 
> [ Impact ]
> 
> The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in
> handle_one_ule_extension() of the dvb-net driver are declared with 255 elements
> (valid indices 0-254), but the index htype is derived from network-controlled
> data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals
> 255, an out-of-bounds read occurs on the function pointer table, and the OOB
> value may be called as a function pointer. As this index is controlled by
> network data, a remote attacker could trigger the out-of-bounds access,
> potentially leading to memory disclosure or arbitrary code execution.
> 
> [ Fix ]
> 
> questing: clean cherry-pick
> 
> [ Test Plan ]
> 
> Boot tested.
> 
> [ Where Problems Could Occur ]
> 
> A regression in this fix would affect the DVB network (dvb-net) subsystem's ULE
> decapsulation path; an incorrect bounds check could cause valid SNDUs to be
> wrongly discarded, breaking reception of MPE/ULE-encapsulated network traffic
> over DVB devices.
> 

Since Questing is EOL, applied to noble:linux-hwe-6.17/hwe-6.17-next. 
Thanks.

-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/43d771e2/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/43d771e2/attachment-0001.sig>


More information about the kernel-team mailing list