Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD

__build_packet_message() manually constructs the NFULA_PAYLOAD netlink
attribute using skb_put() and skb_copy_bits(), bypassing the standard
nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes
are allocated (including NLA alignment padding), only data_len bytes
of actual packet data are copied. The trailing nla_padlen(data_len)
bytes (1-3 when data_len is not 4-byte aligned) are never initialized,
leaking stale heap contents to userspace via the NFLOG netlink socket.

Replace the manual attribute construction with nla_reserve(), which
handles the tailroom check, header setup, and padding zeroing via
__nla_reserve(). The subsequent skb_copy_bits() fills in the payload
data on top of the properly initialized attribute.
Published: 2026-04-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from the nfnetlink_log subsystem of the Linux kernel, where the NFULA_PAYLOAD netlink attribute was constructed manually. The construction omitted zero‑initialization of the trailing padding bytes, which can contain stale heap data. When a packet is sent over the NFLOG netlink socket, those uninitialized bytes are exposed to userspace, allowing a local attacker to read sensitive information from memory. This uninitialized memory usage (CWE‑908) results in information disclosure.

Affected Systems

All Linux kernel releases that include the vulnerable nfnetlink_log code before the patch, as the vendor entry lists the Linux operating system itself. The exact kernel versions are not specified, so every affected build should be considered at risk until the fix is applied.

Risk and Exploitability

The CVSS score is 5.5, indicating a moderate severity vulnerability. The EPSS score is 0.00035 (< 1%), indicating a very low probability of exploitation, and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be local: an attacker must access the NFLOG netlink socket, typically requiring CAP_NET_ADMIN or similar privileges, limiting exploitation to privileged users or processes. The vulnerability does not provide remote code execution or denial of service; its impact is limited to leaking stale memory contents.

Generated by OpenCVE AI on May 20, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the nfnetlink_log padding fix.
  • If an update is not immediately possible, restrict NFLOG socket access to trusted users only, for example by configuring SELinux or tightening group permissions.
  • Consider disabling the NFLOG netlink interface if network logging is not required.

Generated by OpenCVE AI on May 20, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Mon, 13 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD __build_packet_message() manually constructs the NFULA_PAYLOAD netlink attribute using skb_put() and skb_copy_bits(), bypassing the standard nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes are allocated (including NLA alignment padding), only data_len bytes of actual packet data are copied. The trailing nla_padlen(data_len) bytes (1-3 when data_len is not 4-byte aligned) are never initialized, leaking stale heap contents to userspace via the NFLOG netlink socket. Replace the manual attribute construction with nla_reserve(), which handles the tailroom check, header setup, and padding zeroing via __nla_reserve(). The subsequent skb_copy_bits() fills in the payload data on top of the properly initialized attribute.
Title netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:08:31.017Z

Reserved: 2026-03-09T15:48:24.089Z

Link: CVE-2026-31428

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T14:16:12.957

Modified: 2026-05-20T19:24:58.320

Link: CVE-2026-31428

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-31428 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T21:00:12Z

Weaknesses