{"id":"CVE-2026-31428","summary":"netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD\n\n__build_packet_message() manually constructs the NFULA_PAYLOAD netlink\nattribute using skb_put() and skb_copy_bits(), bypassing the standard\nnla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes\nare allocated (including NLA alignment padding), only data_len bytes\nof actual packet data are copied. The trailing nla_padlen(data_len)\nbytes (1-3 when data_len is not 4-byte aligned) are never initialized,\nleaking stale heap contents to userspace via the NFLOG netlink socket.\n\nReplace the manual attribute construction with nla_reserve(), which\nhandles the tailroom check, header setup, and padding zeroing via\n__nla_reserve(). The subsequent skb_copy_bits() fills in the payload\ndata on top of the properly initialized attribute.","modified":"2026-05-13T03:51:59.287292054Z","published":"2026-04-13T13:40:30.987Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31428.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/21d8efda029948d3666b0db5afcc0d36c0984aae"},{"type":"WEB","url":"https://git.kernel.org/stable/c/52025ebaa29f4eb4ed8bf92ce83a68f24ab7fdf7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7eff72968161fb8ddb26113344de3b92fb7d7ef5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7f3e5d72455936f42709116fabeca3bb216cda62"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a2f6ff3444b663d6cfa63eadd61327a18592885a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a8365d1064ded323797c5e28e91070c52f44b76c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c9f6c51d36482805ac3ffadb9663fe775a13e926"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fc961dd7272b5e4a462999635e44a4770d7f2482"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31428.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31428"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"df6fb868d6118686805c2fa566e213a8f31c8e4f"},{"fixed":"7f3e5d72455936f42709116fabeca3bb216cda62"},{"fixed":"21d8efda029948d3666b0db5afcc0d36c0984aae"},{"fixed":"fc961dd7272b5e4a462999635e44a4770d7f2482"},{"fixed":"a8365d1064ded323797c5e28e91070c52f44b76c"},{"fixed":"a2f6ff3444b663d6cfa63eadd61327a18592885a"},{"fixed":"c9f6c51d36482805ac3ffadb9663fe775a13e926"},{"fixed":"7eff72968161fb8ddb26113344de3b92fb7d7ef5"},{"fixed":"52025ebaa29f4eb4ed8bf92ce83a68f24ab7fdf7"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31428.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.24"},{"fixed":"5.10.253"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.203"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.168"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.131"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.80"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.21"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31428.json"}}],"schema_version":"1.7.5"}