Bug 2457841 (CVE-2026-31428) - CVE-2026-31428 kernel: netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
Summary: CVE-2026-31428 kernel: netfilter: nfnetlink_log: fix uninitialized padding le...
Keywords:
Status: NEW
Alias: CVE-2026-31428
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-13 14:02 UTC by OSIDB Bzimport
Modified: 2026-04-13 17:20 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-13 14:02:41 UTC 
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD

__build_packet_message() manually constructs the NFULA_PAYLOAD netlink
attribute using skb_put() and skb_copy_bits(), bypassing the standard
nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes
are allocated (including NLA alignment padding), only data_len bytes
of actual packet data are copied. The trailing nla_padlen(data_len)
bytes (1-3 when data_len is not 4-byte aligned) are never initialized,
leaking stale heap contents to userspace via the NFLOG netlink socket.

Replace the manual attribute construction with nla_reserve(), which
handles the tailroom check, header setup, and padding zeroing via
__nla_reserve(). The subsequent skb_copy_bits() fills in the payload
data on top of the properly initialized attribute.
Comment 1 Keith Grant 2026-04-13 17:19:02 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026041358-CVE-2026-31428-20a2@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.