CVE-2026-31427
Received Received - Intake
Use of Uninitialized Variable in Linux netfilter nf_conntrack_sip

Publication date: 2026-04-13

Last updated on: 2026-04-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp process_sdp() declares union nf_inet_addr rtp_addr on the stack and passes it to the nf_nat_sip sdp_session hook after walking the SDP media descriptions. However rtp_addr is only initialized inside the media loop when a recognized media type with a non-zero port is found. If the SDP body contains no m= lines, only inactive media sections (m=audio 0 ...) or only unrecognized media types, rtp_addr is never assigned. Despite that, the function still calls hooks->sdp_session() with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack value as an IP address and rewrite the SDP session owner and connection lines with it. With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this results in the session-level o= and c= addresses being rewritten to 0.0.0.0 for inactive SDP sessions. Without stack auto-init the rewritten address is whatever happened to be on the stack. Fix this by pre-initializing rtp_addr from the session-level connection address (caddr) when available, and tracking via a have_rtp_addr flag whether any valid address was established. Skip the sdp_session hook entirely when no valid address exists.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-18
Generated
2026-05-07
AI Q&A
2026-04-13
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31427
EUVD
EUVD-2026-21954
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfilter component, specifically in the nf_conntrack_sip module. The function process_sdp() uses a variable called rtp_addr that is sometimes left uninitialized if the SDP (Session Description Protocol) body lacks certain media lines or contains only inactive or unrecognized media types. Despite this, the function still passes this uninitialized rtp_addr to another function, which then uses the stale or garbage stack value as an IP address to rewrite session owner and connection lines in the SDP. This can cause incorrect IP addresses like 0.0.0.0 or random stack data to be inserted into SDP sessions.


How can this vulnerability impact me? :

The impact of this vulnerability is that the SDP session owner and connection lines may be rewritten with incorrect IP addresses. This can lead to network communication issues, such as failed or misrouted SIP (Session Initiation Protocol) sessions, because the IP addresses used for media streams may be invalid or incorrect. In some cases, the rewritten address could be 0.0.0.0 or a random value from the stack, potentially disrupting VoIP or other multimedia communications relying on SIP.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by pre-initializing the rtp_addr variable in the Linux kernel netfilter nf_conntrack_sip module. To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Specifically, apply the kernel update that addresses the issue in process_sdp() where uninitialized rtp_addr was used, preventing incorrect rewriting of SDP session addresses.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart