CVE-2026-31428
Received Received - Intake
Uninitialized Memory Leak in Linux netfilter NFULA_PAYLOAD

Publication date: 2026-04-13

Last updated on: 2026-04-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD __build_packet_message() manually constructs the NFULA_PAYLOAD netlink attribute using skb_put() and skb_copy_bits(), bypassing the standard nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes are allocated (including NLA alignment padding), only data_len bytes of actual packet data are copied. The trailing nla_padlen(data_len) bytes (1-3 when data_len is not 4-byte aligned) are never initialized, leaking stale heap contents to userspace via the NFLOG netlink socket. Replace the manual attribute construction with nla_reserve(), which handles the tailroom check, header setup, and padding zeroing via __nla_reserve(). The subsequent skb_copy_bits() fills in the payload data on top of the properly initialized attribute.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-18
Generated
2026-05-07
AI Q&A
2026-04-13
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31428
EUVD
EUVD-2026-21957
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfilter nfnetlink_log component. It involves an uninitialized padding leak in the NFULA_PAYLOAD netlink attribute. Specifically, the function __build_packet_message() manually constructs the NFULA_PAYLOAD attribute by allocating memory for the payload plus padding, but only initializes the actual payload data bytes. The padding bytes, which can be 1 to 3 bytes when the data length is not 4-byte aligned, remain uninitialized and may contain stale heap data. This uninitialized data is then leaked to userspace through the NFLOG netlink socket.

The fix replaces the manual construction with the nla_reserve() helper, which properly initializes the padding bytes to zero, preventing the leakage of stale heap contents.


How can this vulnerability impact me? :

This vulnerability can lead to unintended leakage of kernel heap memory contents to userspace via the NFLOG netlink socket. An attacker or a user with access to this interface could potentially obtain sensitive information from the kernel memory that was not meant to be exposed. This could include data from other processes or kernel structures, potentially leading to information disclosure.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by replacing the manual construction of the NFULA_PAYLOAD netlink attribute with the use of nla_reserve(), which properly initializes padding and prevents leakage of stale heap contents.

Therefore, the immediate step to mitigate this vulnerability is to update the Linux kernel to a version that includes this fix.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability causes uninitialized padding bytes to leak stale heap contents to userspace via the NFLOG netlink socket.

Such leakage of potentially sensitive kernel memory contents could lead to unauthorized disclosure of information.

Unauthorized disclosure of sensitive data may impact compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal and health information.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart