7.5

CVE-2026-31662

tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG

In the Linux kernel, the following vulnerability has been resolved:

tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG

The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements
bc_ackers on every inbound group ACK, even when the same member has
already acknowledged the current broadcast round.

Because bc_ackers is a u16, a duplicate ACK received after the last
legitimate ACK wraps the counter to 65535. Once wrapped,
tipc_group_bc_cong() keeps reporting congestion and later group
broadcasts on the affected socket stay blocked until the group is
recreated.

Fix this by ignoring duplicate or stale ACKs before touching bc_acked or
bc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and
prevents the underflow path.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.15.1 < 5.10.253
LinuxLinux Kernel Version >= 5.11 < 5.15.203
LinuxLinux Kernel Version >= 5.16 < 6.1.169
LinuxLinux Kernel Version >= 6.2 < 6.6.135
LinuxLinux Kernel Version >= 6.7 < 6.12.82
LinuxLinux Kernel Version >= 6.13 < 6.18.23
LinuxLinux Kernel Version >= 6.19 < 6.19.13
LinuxLinux Kernel Version4.15 Update-
LinuxLinux Kernel Version7.0 Updaterc1
LinuxLinux Kernel Version7.0 Updaterc2
LinuxLinux Kernel Version7.0 Updaterc3
LinuxLinux Kernel Version7.0 Updaterc4
LinuxLinux Kernel Version7.0 Updaterc5
LinuxLinux Kernel Version7.0 Updaterc6
LinuxLinux Kernel Version7.0 Updaterc7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.39% 0.305
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-191 Integer Underflow (Wrap or Wraparound)

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

https://git.kernel.org/stable/c/a7db57ccca21f5801609065473c89a38229ecb92
Patch
https://git.kernel.org/stable/c/36ec4fdd6250dcd5e73eb09ea92ed92e9cc28412
Patch
https://git.kernel.org/stable/c/575faea557f1a184a5f09661bd47ebd3ef3769f8
Patch
https://git.kernel.org/stable/c/3bcf7aca63f0bcd679ae28e9b99823c608e59ce3
Patch
https://git.kernel.org/stable/c/a2ea1ef0167d7a84730638d05c20ccdc421b14b6
Patch
https://git.kernel.org/stable/c/1b6f13f626665cac67ba5a012765427680518711
Patch
https://git.kernel.org/stable/c/e0bb732eaf77f9ac2f2638bdac9e39b81e0a9682
Patch
https://git.kernel.org/stable/c/48a5fe38772b6f039522469ee6131a67838221a8
Patch