PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31427 Linux CVE debrief

CVE-2026-31427 is a Linux kernel netfilter bug in nf_conntrack_sip. When SDP media parsing does not establish a valid RTP address, process_sdp() can still pass an uninitialized stack value into the nf_nat_sip sdp_session hook. That can lead to incorrect rewriting of SDP session-level owner and connection lines, including 0.0.0.0 on zero-initialized stacks or stale stack data on others. The published fix initializes the address more safely and skips the hook when no valid RTP address exists.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-13
Original CVE updated
2026-05-20
Advisory published
2026-04-13
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distribution security teams, and operators running kernels with nf_conntrack_sip / nf_nat_sip support enabled, especially where SIP-aware NAT or connection tracking is used.

Technical summary

The flaw is in process_sdp() in the Linux kernel's netfilter SIP connection-tracking path. A union nf_inet_addr rtp_addr is declared on the stack and only initialized when the SDP parser finds a recognized media description with a non-zero port. If the SDP body has no m= lines, only inactive media sections, or only unrecognized media types, rtp_addr remains unassigned but is still handed to hooks->sdp_session(). The downstream nf_nat_sip code can then format that stale value as an IP address and rewrite SDP session-level o= and c= fields with it. The fix pre-initializes rtp_addr from the session-level connection address when available, tracks whether a valid address was found, and avoids the hook call when no valid address exists.

Defensive priority

Medium. The CVSS vector shows local access and low privileges are required, but the issue can still produce kernel-level incorrect data handling and availability impact in affected SIP netfilter paths. Prioritize patching supported kernels in environments that use these modules.

Recommended defensive actions

  • Apply the relevant stable kernel patch for your branch from the linked upstream Linux stable references.
  • Upgrade to a kernel version at or beyond the fixed boundary for your branch as listed by NVD (for example, beyond 5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, or 6.19.11, depending on branch).
  • Inventory whether nf_conntrack_sip and nf_nat_sip are enabled or needed in your environment, and prioritize remediation on systems that use SIP-aware netfilter processing.

Evidence notes

The supplied CVE description states that process_sdp() can pass an uninitialized rtp_addr to nf_nat_sip's sdp_session hook when SDP input lacks a valid media-derived address. NVD marks the issue as CVE-2026-31427 with CVSS 5.5/AV:L/PR:L/UI:N/S:U/C:N/I:N/A:H and CWE-908, and lists affected Linux kernel version ranges plus multiple stable patch references on git.kernel.org. The CVE and NVD records were published on 2026-04-13 and last modified on 2026-05-20, per the provided timeline fields.

Official resources

CVE record published 2026-04-13T14:16:12.783Z and last modified 2026-05-20T19:27:17.860Z, per the supplied timeline fields.