VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Apr 13, 2026· Updated May 20, 2026

CVE-2026-31428

CVE-2026-31428

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD

__build_packet_message() manually constructs the NFULA_PAYLOAD netlink attribute using skb_put() and skb_copy_bits(), bypassing the standard nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes are allocated (including NLA alignment padding), only data_len bytes of actual packet data are copied. The trailing nla_padlen(data_len) bytes (1-3 when data_len is not 4-byte aligned) are never initialized, leaking stale heap contents to userspace via the NFLOG netlink socket.

Replace the manual attribute construction with nla_reserve(), which handles the tailroom check, header setup, and padding zeroing via __nla_reserve(). The subsequent skb_copy_bits() fills in the payload data on top of the properly initialized attribute.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, a netfilter flaw in NFULA_PAYLOAD leaks 1-3 uninitialized heap bytes due to missing padding zeroing in __build_packet_message().

Vulnerability

Overview

A medium-severity information-disclosure vulnerability (CVSS 5.5) exists in the Linux kernel's netfilter subsystem, specifically in the nfnetlink_log module. The function __build_packet_message() constructs the NFULA_PAYLOAD netlink attribute manually using skb_put() and skb_copy_bits() instead of the proper nla_reserve()/nla_put() helpers. While the total allocated size includes the NLA alignment padding, only the actual data bytes are copied; the trailing padding bytes (1 to 3 bytes when the payload length is not a multiple of 4) remain uninitialized, disclosing stale heap content to any process able to read from the NFLOG netlink socket [1].

Attack

Vector

An attacker who can receive netlink messages from the NFLOG socket family—usually a local user with CAP_NET_ADMIN capability or root—can observe the leaked data. No remote network access is required; the attack surface is local. The leak occurs every time a packet log message is built where the captured payload length is not 4-byte aligned. Because the missing initialization is in the netfilter logging path, any packet that triggers a log entry (e.g., through iptables or nftables rules) can carry the stale bytes [1].

Impact

A local attacker can retrieve up to three bytes of uninitialized kernel heap memory per monitored packet. This may reveal sensitive kernel pointers, slab metadata, or fragments of previous allocations, breaking kernel address-space layout randomization (KASLR) or enabling further exploitation. The information disclosure is limited in size per event but can be repeated over many logged packets to accumulate data [1].

Mitigation

The fix replaces the manual attribute construction with nla_reserve(), which internally zeroes the padding via __nla_reserve(). The upstream commit has been applied to stable kernel branches; system administrators should apply the latest kernel updates for their distribution. No workaround exists short of disabling netlink logging or restricting access to the NFLOG socket [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

1