CVE-2026-31428
Analyzed Analyzed - Analysis Complete
Uninitialized Memory Leak in Linux netfilter NFULA_PAYLOAD

Publication date: 2026-04-13

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD __build_packet_message() manually constructs the NFULA_PAYLOAD netlink attribute using skb_put() and skb_copy_bits(), bypassing the standard nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes are allocated (including NLA alignment padding), only data_len bytes of actual packet data are copied. The trailing nla_padlen(data_len) bytes (1-3 when data_len is not 4-byte aligned) are never initialized, leaking stale heap contents to userspace via the NFLOG netlink socket. Replace the manual attribute construction with nla_reserve(), which handles the tailroom check, header setup, and padding zeroing via __nla_reserve(). The subsequent skb_copy_bits() fills in the payload data on top of the properly initialized attribute.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-05-20
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31428
EUVD
EUVD-2026-21957
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
linux linux_kernel From 2.6.24 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-908 The product uses or accesses a resource that has not been initialized.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter nfnetlink_log component. It involves an uninitialized padding leak in the NFULA_PAYLOAD netlink attribute. Specifically, the function __build_packet_message() manually constructs the NFULA_PAYLOAD attribute by allocating memory for the payload plus padding, but only initializes the actual payload data bytes. The padding bytes, which can be 1 to 3 bytes when the data length is not 4-byte aligned, remain uninitialized and may contain stale heap data. This uninitialized data is then leaked to userspace through the NFLOG netlink socket.

The fix replaces the manual construction with the nla_reserve() helper, which properly initializes the padding bytes to zero, preventing the leakage of stale heap contents.

Mitigation Strategies

The vulnerability has been resolved by replacing the manual construction of the NFULA_PAYLOAD netlink attribute with the use of nla_reserve(), which properly initializes padding and prevents leakage of stale heap contents.

Therefore, the immediate step to mitigate this vulnerability is to update the Linux kernel to a version that includes this fix.

Impact Analysis

This vulnerability can lead to unintended leakage of kernel heap memory contents to userspace via the NFLOG netlink socket. An attacker or a user with access to this interface could potentially obtain sensitive information from the kernel memory that was not meant to be exposed. This could include data from other processes or kernel structures, potentially leading to information disclosure.

Compliance Impact

This vulnerability causes uninitialized padding bytes to leak stale heap contents to userspace via the NFLOG netlink socket.

Such leakage of potentially sensitive kernel memory contents could lead to unauthorized disclosure of information.

Unauthorized disclosure of sensitive data may impact compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal and health information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31428. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart