Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp

process_sdp() declares union nf_inet_addr rtp_addr on the stack and
passes it to the nf_nat_sip sdp_session hook after walking the SDP
media descriptions. However rtp_addr is only initialized inside the
media loop when a recognized media type with a non-zero port is found.

If the SDP body contains no m= lines, only inactive media sections
(m=audio 0 ...) or only unrecognized media types, rtp_addr is never
assigned. Despite that, the function still calls hooks->sdp_session()
with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack
value as an IP address and rewrite the SDP session owner and connection
lines with it.

With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this
results in the session-level o= and c= addresses being rewritten to
0.0.0.0 for inactive SDP sessions. Without stack auto-init the
rewritten address is whatever happened to be on the stack.

Fix this by pre-initializing rtp_addr from the session-level connection
address (caddr) when available, and tracking via a have_rtp_addr flag
whether any valid address was established. Skip the sdp_session hook
entirely when no valid address exists.
Published: 2026-04-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The uninitialized stack variable rtp_addr in the Linux kernel’s netfilter nf_conntrack_sip module causes nf_nat_sip to format a stale stack value into an IP address and rewrite the session owner and connection lines of SIP messages with it. The result is that SIP sessions may be incorrectly configured with 0.0.0.0 or a garbage address, leading to connectivity failures, misrouting of media streams, or a denial of service to SIP clients.

Affected Systems

All Linux kernel distributions that include the netfilter nf_conntrack_sip code before the recent commit are affected. The vulnerability applies to the Linux kernel itself, regardless of specific vendor, and affects any systems that employ SIP NAT functionality via nf_conntrack_sip. Version details are not explicitly listed, so any kernel that has not applied the patch is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of 0.00035 implies a very low probability of exploitation, though it is not zero. This vulnerability can be exploited by an attacker who can send crafted SIP packets to a node running the vulnerable kernel, causing the kernel to rewrite session addresses incorrectly. This makes a network‑oriented exploitation likely if the system processes SIP traffic, but active exploitation has not been reported. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 20, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the fix for the nf_conntrack_sip uninitialized rtp_addr bug.
  • If a kernel upgrade is not immediately possible, disable or unload the nf_nat_sip module or SIP NAT functionality in netfilter until a patched kernel is deployed.
  • Verify that the system’s netfilter configuration does not enable the nf_nat_sip module and monitor for anomalous SIP traffic containing 0.0.0.0 addresses.

Generated by OpenCVE AI on May 20, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H'}

threat_severity

Moderate

Mon, 13 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp process_sdp() declares union nf_inet_addr rtp_addr on the stack and passes it to the nf_nat_sip sdp_session hook after walking the SDP media descriptions. However rtp_addr is only initialized inside the media loop when a recognized media type with a non-zero port is found. If the SDP body contains no m= lines, only inactive media sections (m=audio 0 ...) or only unrecognized media types, rtp_addr is never assigned. Despite that, the function still calls hooks->sdp_session() with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack value as an IP address and rewrite the SDP session owner and connection lines with it. With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this results in the session-level o= and c= addresses being rewritten to 0.0.0.0 for inactive SDP sessions. Without stack auto-init the rewritten address is whatever happened to be on the stack. Fix this by pre-initializing rtp_addr from the session-level connection address (caddr) when available, and tracking via a have_rtp_addr flag whether any valid address was established. Skip the sdp_session hook entirely when no valid address exists.
Title netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:08:29.865Z

Reserved: 2026-03-09T15:48:24.088Z

Link: CVE-2026-31427

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T14:16:12.783

Modified: 2026-05-20T19:27:17.860

Link: CVE-2026-31427

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-31427 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T21:00:12Z

Weaknesses