SB2026041412 - Use of Uninitialized Variable in Linux kernel netfilter
Published: April 14, 2026
Security Bulletin ID
SB2026041412
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Use of Uninitialized Variable (CVE-ID: CVE-2026-31427)
The vulnerability allows a remote attacker to cause incorrect SDP address rewriting.
The vulnerability exists due to use of uninitialized memory in process_sdp in nf_conntrack_sip when processing SDP bodies. A remote attacker can send a specially crafted SDP message to cause incorrect SDP address rewriting.
When stack auto-initialization is enabled, the rewritten session-level addresses may become 0.0.0.0; otherwise, stale stack data may be used.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/01f34a80ac23ae90b1909b94b4ed05343a62f646
- https://git.kernel.org/stable/c/52fdda318ef2362fc5936385bcb8b3d0328ee629
- https://git.kernel.org/stable/c/6a2b724460cb67caed500c508c2ae5cf012e4db4
- https://git.kernel.org/stable/c/6e5e3c87b7e6212f1d8414fc2e4d158b01e12025
- https://git.kernel.org/stable/c/7edca70751b9bdb5b83eed53cde21eccf3c86147
- https://git.kernel.org/stable/c/fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6