PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31428 Linux CVE debrief

CVE-2026-31428 is a Linux kernel issue in nfnetlink_log where NFULA_PAYLOAD was built manually and could expose uninitialized padding bytes to userspace. NVD rates the issue MEDIUM, and the reported attack vector is local with low privileges. The fix replaces the manual attribute construction with the standard netlink reservation path so padding is initialized before the payload is copied in.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-13
Original CVE updated
2026-05-20
Advisory published
2026-04-13
Advisory updated
2026-05-20

Who should care

Linux distribution maintainers, kernel patch teams, and administrators running kernels with netfilter/NFLOG capability should care, especially on systems that allow unprivileged or low-privileged local users to interact with the affected kernel interfaces.

Technical summary

The vulnerable __build_packet_message() path used skb_put() and skb_copy_bits() to assemble the NFULA_PAYLOAD attribute after allocating nla_total_size(data_len) bytes. That allocation reserves alignment padding, but only data_len bytes of packet content were copied, leaving nla_padlen(data_len) trailing bytes uninitialized. Those bytes could then be disclosed to userspace over the NFLOG netlink socket. The remedy is to use nla_reserve(), which performs the tailroom check, sets up the attribute header, and zeroes padding via __nla_reserve() before skb_copy_bits() fills the payload.

Defensive priority

Medium. The issue is locally reachable, requires low privileges, and involves disclosure of stale kernel heap contents. Patch priority should be elevated on multi-user systems and any host exposing NFLOG-related functionality to local users.

Recommended defensive actions

  • Apply the kernel updates that contain the nfnetlink_log fix referenced in the official stable patches.
  • Confirm your deployed kernel build is newer than the affected versions listed by NVD for your branch.
  • Review whether nfnetlink_log/NFLOG is needed on the system and reduce exposure where it is not required.
  • Track vendor kernel advisories for backported fixes if you use a distribution kernel.
  • Validate patched systems by confirming the affected netfilter code path now uses nla_reserve() rather than manual attribute construction.

Evidence notes

NVD lists CVE-2026-31428 as published on 2026-04-13 and last modified on 2026-05-20. The supplied description states the bug leaks uninitialized padding from NFULA_PAYLOAD through the NFLOG netlink socket and that the fix switches to nla_reserve()/__nla_reserve() for initialization. NVD also lists the vulnerable Linux kernel version ranges and a CVSS v3.1 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Official resources

Publicly disclosed in the CVE record on 2026-04-13, with NVD metadata last modified on 2026-05-20. Official kernel patch references are included in the source record.