Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm: clear trailing padding in build_polexpire()

build_expire() clears the trailing padding bytes of struct
xfrm_user_expire after setting the hard field via memset_after(),
but the analogous function build_polexpire() does not do this for
struct xfrm_user_polexpire.

The padding bytes after the __u8 hard field are left
uninitialized from the heap allocation, and are then sent to
userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners,
leaking kernel heap memory contents.

Add the missing memset_after() call, matching build_expire().
Published: 2026-04-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure
Action: Patch kernel
AI Analysis

Impact

The flaw resides in the xfrm kernel module’s build_polexpire() function, which fails to clear the padding bytes that follow the hard field in a struct xfrm_user_polexpire. Because these bytes are left uninitialized, they are copied from kernel heap memory and then sent to userspace via netlink multicast when a XFRMNLGRP_EXPIRE listener receives the message. The result is an information disclosure of arbitrary kernel heap contents to any process that can receive the multicast packets. This type of defect corresponds to CWE‑908. Based on the description, the attack vector appears to require the ability to subscribe to the XFRMNLGRP_EXPIRE netlink group, which generally means local or privileged access.

Affected Systems

The vulnerability exists in Linux kernel versions that have not yet incorporated the patch for build_polexpire(). Specifically, release candidates of the 2.6.12 series (rc1 through rc5) and of the 7.0 series (rc1 through rc7) contain the vulnerable code. The fix was merged into mainline Linux (commit 71a98248) and is included in all kernels released after that commit.

Risk and Exploitability

The CVSS base score of 5.5 indicates medium severity. The EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to observe or inject into the XFRMNLGRP_EXPIRE netlink multicast traffic, which typically implies local or privileged user context. Consequently, the overall risk is moderate, but the expected probability of successful exploitation is low.

Generated by OpenCVE AI on April 28, 2026 at 20:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the patch from commit 71a98248, which adds the missing memset_after() call in build_polexpire().
  • If an immediate kernel upgrade is not possible, restrict netlink access to the XFRMNLGRP_EXPIRE multicast group by configuring firewall rules or application-level permissions, thus preventing unauthorized processes from receiving the leaked kernel data.
  • Implement monitoring of netlink traffic or kernel audit rules to detect unexpected XFRMNLGRP_EXPIRE messages, helping to identify attempted exploitation and verify that the padding is cleared in memory.

Generated by OpenCVE AI on April 28, 2026 at 20:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Mon, 27 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm: clear trailing padding in build_polexpire() build_expire() clears the trailing padding bytes of struct xfrm_user_expire after setting the hard field via memset_after(), but the analogous function build_polexpire() does not do this for struct xfrm_user_polexpire. The padding bytes after the __u8 hard field are left uninitialized from the heap allocation, and are then sent to userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners, leaking kernel heap memory contents. Add the missing memset_after() call, matching build_expire().
Title xfrm: clear trailing padding in build_polexpire()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:11.995Z

Reserved: 2026-03-09T15:48:24.129Z

Link: CVE-2026-31664

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:46.043

Modified: 2026-04-27T19:59:44.497

Link: CVE-2026-31664

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31664 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:15:26Z

Weaknesses