SB2026042551 - Improper Initialization in Linux kernel xfrm



SB2026042551 - Improper Initialization in Linux kernel xfrm

Published: April 25, 2026

Security Bulletin ID SB2026042551
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper Initialization (CVE-ID: CVE-2026-31671)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper initialization in build_report() when copying a xfrm_user_report structure to userspace. A local user can trigger the affected code path to disclose sensitive information.

The issue is caused by uninitialized padding bytes in the structure being exposed to userspace.


Remediation

Install update from vendor's website.