Skip to main content

Linux Kernel CVE-2026-31428

| EUVDEUVD-2026-21957 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-04-13 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 20, 2026 - 19:38 vuln.today
CVSS changed
May 20, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch released
Apr 18, 2026 - 09:16 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
7eff72968161fb8ddb26113344de3b92fb7d7ef5,52025ebaa29f4eb4ed8bf92ce83a68f24ab7fdf7
EUVD ID Assigned
Apr 13, 2026 - 13:45 euvd
EUVD-2026-21957
CVE Published
Apr 13, 2026 - 13:40 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD

__build_packet_message() manually constructs the NFULA_PAYLOAD netlink attribute using skb_put() and skb_copy_bits(), bypassing the standard nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes are allocated (including NLA alignment padding), only data_len bytes of actual packet data are copied. The trailing nla_padlen(data_len) bytes (1-3 when data_len is not 4-byte aligned) are never initialized, leaking stale heap contents to userspace via the NFLOG netlink socket.

Replace the manual attribute construction with nla_reserve(), which handles the tailroom check, header setup, and padding zeroing via __nla_reserve(). The subsequent skb_copy_bits() fills in the payload data on top of the properly initialized attribute.

AnalysisAI

Uninitialized heap memory leaks to userspace via the Linux kernel's netfilter logging subsystem (nfnetlink_log), exposing 1-3 bytes of stale kernel heap content per logged packet through the NFULA_PAYLOAD netlink attribute. Affected systems are those running Linux kernel versions dating back to commit df6fb868d611 (circa 2.6.24) where NFLOG-based packet logging is configured. A low-privileged local attacker with access to an NFLOG netlink socket can passively harvest kernel memory fragments, potentially useful for defeating KASLR or reconstructing sensitive in-memory data. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 7th percentile), but the vulnerability class is well-understood by kernel exploit developers.

Technical ContextAI

The vulnerability resides in __build_packet_message() within net/netfilter/nfnetlink_log.c. When constructing the NFULA_PAYLOAD netlink attribute, the code manually calls skb_put() to reserve nla_total_size(data_len) bytes - which includes NLA 4-byte alignment padding - and then copies only data_len bytes of actual packet payload via skb_copy_bits(). The remaining nla_padlen(data_len) bytes (1-3 bytes when data_len % 4 != 0) are left uninitialized, retaining whatever stale content occupied that heap region. The standard kernel helpers nla_reserve() and __nla_reserve() zero-initialize this padding explicitly; the manual path bypasses that guarantee. CWE-908 (Use of Uninitialized Resource) is the correct root cause classification. The netlink socket delivering this data is the NFLOG subsystem, accessible to processes with CAP_NET_ADMIN or via group membership depending on kernel configuration. CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

The primary fix is to upgrade to a patched stable kernel: 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, or 7.0, depending on the LTS branch in use. Upstream fix commits are published at https://git.kernel.org/stable/c/fc961dd7272b5e4a462999635e44a4770d7f2482 and related stable refs. If an immediate kernel upgrade is not feasible, a targeted compensating control is to restrict or disable NFLOG-based netfilter logging rules: removing or disabling iptables/nftables rules that use the NFLOG target (e.g., -j NFLOG) eliminates the code path that triggers the leak. Trade-off: this disables packet logging functionality that may be relied upon for security monitoring or audit compliance. A second option is to restrict access to the NFLOG netlink socket by tightening CAP_NET_ADMIN grants and reviewing which processes or containers have elevated network namespace capabilities. Neither workaround patches the underlying kernel code; upgrading to a fixed kernel version is the definitive resolution.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Affected
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed

Share

CVE-2026-31428 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy