Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm_user: fix info leak in build_report()

struct xfrm_user_report is a __u8 proto field followed by a struct
xfrm_selector which means there is three "empty" bytes of padding, but
the padding is never zeroed before copying to userspace. Fix that up by
zeroing the structure before setting individual member variables.
Published: 2026-04-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Update Kernel
AI Analysis

Impact

The Linux kernel’s XFRM component contains a data structure that, when reported via build_report(), is copied to userspace without zeroing its three padding bytes. Those bytes can contain leftover kernel data, allowing an attacker to read arbitrary kernel memory. This constitutes an information‑disclosure flaw classified as a memory‑leak (CWE‑401). The vulnerability reveals private data that can be used to assist further attacks rather than directly escalating privileges.

Affected Systems

All Linux kernel releases that predate the patch through commit 0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9 are affected, including the 2.6.19 series and the 7.0 release candidates (rc1 through rc7). A system running any of these kernel versions without the fix is susceptible; newer mainstream releases that incorporate the commit are not affected.

Risk and Exploitability

With a CVSS score of 5.5 the vulnerability is of moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Exploitation would most likely occur through the XFRM subsystem, which is normally restricted to privileged users or processes with specific capabilities. While the flaw does not provide direct privilege escalation, the information exposed could aid an attacker in constructing more damaging exploits.

Generated by OpenCVE AI on April 28, 2026 at 13:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the commit that zeroes the padding bytes before copying the structure to userspace.
  • If an update is not immediately possible, restrict or disable access to the XFRM subsystem by configuring the kernel’s capability settings or using system hardening tools such as SELinux or AppArmor to block untrusted processes from calling XFRM interfaces.
  • Apply general kernel hardening measures, such as enabling mm‑petc and grsecurity patches or setting "vm.mmap_min_addr" and "kernel.kptr_restrict" to harden memory exposure, which can reduce the impact of the padding leak.

Generated by OpenCVE AI on April 28, 2026 at 13:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:2.6.19:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm_user: fix info leak in build_report() struct xfrm_user_report is a __u8 proto field followed by a struct xfrm_selector which means there is three "empty" bytes of padding, but the padding is never zeroed before copying to userspace. Fix that up by zeroing the structure before setting individual member variables.
Title xfrm_user: fix info leak in build_report()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:23.374Z

Reserved: 2026-03-09T15:48:24.130Z

Link: CVE-2026-31671

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:46.903

Modified: 2026-04-27T20:11:39.153

Link: CVE-2026-31671

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31671 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:45:06Z

Weaknesses