CVE-2026-31428

MEDIUM

netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD __build_packet_message() manually constructs the NFULA_PAYLOAD netlink attribute using skb_put() and skb_copy_bits(), bypassing the standard nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes are allocated (including NLA alignment padding), only data_len bytes of actual packet data are copied. The trailing nla_padlen(data_len) bytes (1-3 when data_len is not 4-byte aligned) are never initialized, leaking stale heap contents to userspace via the NFLOG netlink socket. Replace the manual attribute construction with nla_reserve(), which handles the tailroom check, header setup, and padding zeroing via __nla_reserve(). The subsequent skb_copy_bits() fills in the payload data on top of the properly initialized attribute.

Scores

CVSS v3 5.5
EPSS 0.0013
EPSS Percentile 3.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-908
Status published
Products (27)
linux/Kernel 2.6.24 - 5.10.253linux
linux/Kernel 5.11.0 - 5.15.203linux
linux/Kernel 5.16.0 - 6.1.168linux
linux/Kernel 6.13.0 - 6.18.21linux
linux/Kernel 6.19.0 - 6.19.11linux
linux/Kernel 6.2.0 - 6.6.131linux
linux/Kernel 6.7.0 - 6.12.80linux
Linux/Linux < 2.6.24
Linux/Linux 2.6.24
Linux/Linux 5.10.253 - 5.10.*
... and 17 more
Published Apr 13, 2026
Tracked Since Apr 13, 2026