Skip to main content

Linux Kernel EUVDEUVD-2026-21954

| CVE-2026-31427 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-04-13 Linux GHSA-w9rr-8fx7-936w
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.8 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 20, 2026 - 19:38 vuln.today
CVSS changed
May 20, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch released
Apr 18, 2026 - 09:16 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
6e5e3c87b7e6212f1d8414fc2e4d158b01e12025,7edca70751b9bdb5b83eed53cde21eccf3c86147,01f34a80ac23ae90b1909b94b4ed05343a62f646
EUVD ID Assigned
Apr 13, 2026 - 13:45 euvd
EUVD-2026-21954
CVE Published
Apr 13, 2026 - 13:40 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp

process_sdp() declares union nf_inet_addr rtp_addr on the stack and passes it to the nf_nat_sip sdp_session hook after walking the SDP media descriptions. However rtp_addr is only initialized inside the media loop when a recognized media type with a non-zero port is found.

If the SDP body contains no m= lines, only inactive media sections (m=audio 0 ...) or only unrecognized media types, rtp_addr is never assigned. Despite that, the function still calls hooks->sdp_session() with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack value as an IP address and rewrite the SDP session owner and connection lines with it.

With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this results in the session-level o= and c= addresses being rewritten to 0.0.0.0 for inactive SDP sessions. Without stack auto-init the rewritten address is whatever happened to be on the stack.

Fix this by pre-initializing rtp_addr from the session-level connection address (caddr) when available, and tracking via a have_rtp_addr flag whether any valid address was established. Skip the sdp_session hook entirely when no valid address exists.

AnalysisAI

Stack corruption in the Linux kernel's netfilter SIP connection tracking helper (nf_conntrack_sip) allows a local low-privileged attacker to disrupt SIP call establishment by triggering use of an uninitialized rtp_addr stack variable in process_sdp(). When SDP bodies contain no valid media sections, the uninitialized address is passed to nf_nat_sdp_session(), which rewrites SDP o= and c= lines with either zeroes (when CONFIG_INIT_STACK_ALL_ZERO is active) or arbitrary stack contents, corrupting session negotiation. No public exploit identified at time of analysis; EPSS is 0.02% (7th percentile), and this vulnerability is not listed in CISA KEV.

Technical ContextAI

The affected component is the Linux kernel's netfilter SIP ALG subsystem, specifically nf_conntrack_sip and its NAT companion nf_nat_sip. The root cause is CWE-908 (Use of Uninitialized Resource): process_sdp() declares a union nf_inet_addr rtp_addr on the stack and only initializes it within the SDP media loop when a recognized media type with a non-zero port is encountered. The unconditional call to hooks->sdp_session(&rtp_addr) after the loop means that edge-case SDP bodies - those with no m= lines, only inactive m=audio 0 sections, or only unrecognized media types - cause nf_nat_sdp_session() to format stale or zero stack bytes as an IP address and overwrite the session-level o= (origin) and c= (connection) lines. With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions), the rewrite produces 0.0.0.0. Without stack auto-init, whatever occupies that stack frame is used. CPE cpe:2.3:a:linux:linux:* confirms the wide version range affected, introduced at commit 4ab9e64e5e3c0516577818804aaf13a630d67bc9.

RemediationAI

Upgrade to one of the patched stable kernel releases: 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, or 7.0. The respective upstream fix commits are available at https://git.kernel.org/stable/c/6e5e3c87b7e6212f1d8414fc2e4d158b01e12025 (6.19.x), https://git.kernel.org/stable/c/7edca70751b9bdb5b83eed53cde21eccf3c86147 (6.18.x), https://git.kernel.org/stable/c/01f34a80ac23ae90b1909b94b4ed05343a62f646, https://git.kernel.org/stable/c/52fdda318ef2362fc5936385bcb8b3d0328ee629, https://git.kernel.org/stable/c/6a2b724460cb67caed500c508c2ae5cf012e4db4, and https://git.kernel.org/stable/c/fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6. If patching is not immediately feasible, unloading the nf_conntrack_sip module (rmmod nf_conntrack_sip nf_nat_sip) is an effective compensating control - note this disables SIP ALG functionality entirely, which will break SIP NAT traversal for clients behind the affected gateway and may require clients to use STUN/ICE or manual port forwarding. This trade-off is acceptable if SIP ALG is not a critical path dependency. Prevent the module from auto-loading by blacklisting it in /etc/modprobe.d/.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Affected
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed

Share

EUVD-2026-21954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy