CVE-2026-31664
Description
In the Linux kernel, the following vulnerability has been resolved:
xfrm: clear trailing padding in build_polexpire()
build_expire() clears the trailing padding bytes of struct xfrm_user_expire after setting the hard field via memset_after(), but the analogous function build_polexpire() does not do this for struct xfrm_user_polexpire.
The padding bytes after the __u8 hard field are left uninitialized from the heap allocation, and are then sent to userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners, leaking kernel heap memory contents.
Add the missing memset_after() call, matching build_expire().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing memset_after() in Linux kernel's xfrm build_polexpire() leaks heap memory to userspace via netlink multicast.
Vulnerability
In the Linux kernel's XFRM (IPsec) subsystem, the function build_polexpire() constructs a struct xfrm_user_polexpire message to notify userspace of a policy expiration. Unlike the analogous build_expire() function, build_polexpire() fails to clear the trailing padding bytes after the __u8 hard field using memset_after(). As a result, these padding bytes remain uninitialized, containing leftover kernel heap memory.
Exploitation
The uninitialized padding is transmitted to userspace via netlink multicast to the XFRMNLGRP_EXPIRE group. Any process that can receive netlink messages on this multicast group—typically local users with appropriate privileges or access to the netlink socket—can capture the leaked heap data. No authentication or special network position is required beyond the ability to listen for netlink events.
Impact
An attacker can read kernel heap memory contents, potentially disclosing sensitive information such as cryptographic keys, process credentials, or other data present in the heap at the time of allocation. This information disclosure (CWE-200) has a CVSS v3 base score of 5.5 (Medium).
Mitigation
The fix, introduced in the Linux kernel stable tree, adds the missing memset_after() call to build_polexpire(), matching the behavior of build_expire() [1]. Users should update to a kernel version containing this commit or apply the corresponding stable backport. No workaround is available; patching is required.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.12.1,<6.1.169
- cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/71a98248c63c535eaa4d4c22f099b68d902006d0nvdPatch
- git.kernel.org/stable/c/ac6985903db047eaff54db929e4bf6b06782788envdPatch
- git.kernel.org/stable/c/b1dfd6b27df35ef4f87825aa5f607378d23ff0f2nvdPatch
- git.kernel.org/stable/c/c221ed63a2769a0af8bd849dfe25740048f34ef4nvdPatch
- git.kernel.org/stable/c/e1af65c669ebb1666c54576614c01a7f9ffcfff6nvdPatch
- git.kernel.org/stable/c/eda30846ea54f8ed218468e5480c8305ca645e37nvdPatch
News mentions
0No linked articles in our index yet.