CVE-2026-31662

Summary

In the Linux kernel, the following vulnerability has been resolved:

tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG

The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements bc_ackers on every inbound group ACK, even when the same member has already acknowledged the current broadcast round.

Because bc_ackers is a u16, a duplicate ACK received after the last legitimate ACK wraps the counter to 65535. Once wrapped, tipc_group_bc_cong() keeps reporting congestion and later group broadcasts on the affected socket stay blocked until the group is recreated.

Fix this by ignoring duplicate or stale ACKs before touching bc_acked or bc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and prevents the underflow path.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux2f487712b89376fce267223bbb0db93d393d4b09 < a7db57ccca21f5801609065473c89a38229ecb92affected
LinuxLinux2f487712b89376fce267223bbb0db93d393d4b09 < 36ec4fdd6250dcd5e73eb09ea92ed92e9cc28412affected
LinuxLinux2f487712b89376fce267223bbb0db93d393d4b09 < 575faea557f1a184a5f09661bd47ebd3ef3769f8affected
LinuxLinux2f487712b89376fce267223bbb0db93d393d4b09 < 3bcf7aca63f0bcd679ae28e9b99823c608e59ce3affected
LinuxLinux2f487712b89376fce267223bbb0db93d393d4b09 < a2ea1ef0167d7a84730638d05c20ccdc421b14b6affected
LinuxLinux2f487712b89376fce267223bbb0db93d393d4b09 < 1b6f13f626665cac67ba5a012765427680518711affected
LinuxLinux2f487712b89376fce267223bbb0db93d393d4b09 < e0bb732eaf77f9ac2f2638bdac9e39b81e0a9682affected
LinuxLinux2f487712b89376fce267223bbb0db93d393d4b09 < 48a5fe38772b6f039522469ee6131a67838221a8affected
LinuxLinux4.15affected
LinuxLinux0 < 4.15unaffected
LinuxLinux5.10.253 <= 5.10.*unaffected
LinuxLinux5.15.203 <= 5.15.*unaffected
LinuxLinux6.1.169 <= 6.1.*unaffected
LinuxLinux6.6.135 <= 6.6.*unaffected
LinuxLinux6.12.82 <= 6.12.*unaffected
LinuxLinux6.18.23 <= 6.18.*unaffected
LinuxLinux6.19.13 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References