CVE-2026-31427
Analyzed Analyzed - Analysis Complete
Use of Uninitialized Variable in Linux netfilter nf_conntrack_sip

Publication date: 2026-04-13

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp process_sdp() declares union nf_inet_addr rtp_addr on the stack and passes it to the nf_nat_sip sdp_session hook after walking the SDP media descriptions. However rtp_addr is only initialized inside the media loop when a recognized media type with a non-zero port is found. If the SDP body contains no m= lines, only inactive media sections (m=audio 0 ...) or only unrecognized media types, rtp_addr is never assigned. Despite that, the function still calls hooks->sdp_session() with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack value as an IP address and rewrite the SDP session owner and connection lines with it. With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this results in the session-level o= and c= addresses being rewritten to 0.0.0.0 for inactive SDP sessions. Without stack auto-init the rewritten address is whatever happened to be on the stack. Fix this by pre-initializing rtp_addr from the session-level connection address (caddr) when available, and tracking via a have_rtp_addr flag whether any valid address was established. Skip the sdp_session hook entirely when no valid address exists.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-05-20
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31427
EUVD
EUVD-2026-21954
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
linux linux_kernel From 2.6.26 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-908 The product uses or accesses a resource that has not been initialized.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter component, specifically in the nf_conntrack_sip module. The function process_sdp() uses a variable called rtp_addr that is sometimes left uninitialized if the SDP (Session Description Protocol) body lacks certain media lines or contains only inactive or unrecognized media types. Despite this, the function still passes this uninitialized rtp_addr to another function, which then uses the stale or garbage stack value as an IP address to rewrite session owner and connection lines in the SDP. This can cause incorrect IP addresses like 0.0.0.0 or random stack data to be inserted into SDP sessions.

Impact Analysis

The impact of this vulnerability is that the SDP session owner and connection lines may be rewritten with incorrect IP addresses. This can lead to network communication issues, such as failed or misrouted SIP (Session Initiation Protocol) sessions, because the IP addresses used for media streams may be invalid or incorrect. In some cases, the rewritten address could be 0.0.0.0 or a random value from the stack, potentially disrupting VoIP or other multimedia communications relying on SIP.

Mitigation Strategies

The vulnerability is fixed by pre-initializing the rtp_addr variable in the Linux kernel netfilter nf_conntrack_sip module. To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Specifically, apply the kernel update that addresses the issue in process_sdp() where uninitialized rtp_addr was used, preventing incorrect rewriting of SDP session addresses.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31427. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart