A new Linux kernel vulnerability, CVE-2026-31496, has been disclosed and patched, targeting the netfilter connection tracking (conntrack) expectations subsystem. The flaw resides in the procfs interface for conntrack expectations and can leak information across network namespaces. While the vulnerability is considered low severity, it underscores the ongoing challenges in maintaining isolation between network namespaces.

The Vulnerability: A Namespace Leak in Conntrack Expectations

The issue was introduced in commit 5b423f07a40a ("netfilter: conntrack: introduce expectation for conntrack") and affects all kernels since v3.7. The procfs file /proc/net/stat/nf_conntrack_expect is meant to display statistics for conntrack expectations, but it fails to properly isolate data per network namespace. As a result, a user in one namespace can observe expectation statistics from other namespaces, leading to an information disclosure.

Technical Details

The conntrack expectations subsystem allows netfilter to predict future connections related to an existing one, commonly used by FTP, SIP, and other protocols that negotiate secondary connections. The procfs statistics file aggregates data globally rather than per-namespace, breaking the namespace isolation model that Linux relies on for container security.

Impact and Exploitation

An attacker with access to a container or namespace can read the expectation statistics from other namespaces on the same host. This leaks information about the number and types of connections being tracked, potentially revealing the presence of certain services or traffic patterns. However, the leaked data is statistical and does not include packet contents or full connection details, limiting the severity.

The Fix

The patch, authored by Pablo Neira Ayuso and merged into the mainline kernel on May 15, 2026, converts the procfs file to use per-namespace statistics. It replaces the global expect_count and expect_searched counters with per-net variables. The fix is included in Linux kernel versions 6.14.6, 6.15.3, and 6.16.

Mitigation and Recommendations

For users unable to apply the kernel update, disabling the conntrack expectations procfs interface or restricting access to /proc/net/stat/nf_conntrack_expect can mitigate the issue. However, the most effective measure is to update to a patched kernel version.

Conclusion

CVE-2026-31496 is a narrowly scoped vulnerability, but it highlights the importance of proper namespace isolation in containerized environments. System administrators should prioritize applying the kernel patch to prevent any potential information leakage across namespaces.