SB2026042551 - Improper Initialization in Linux kernel xfrm
Published: April 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper Initialization (CVE-ID: CVE-2026-31671)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper initialization in build_report() when copying a xfrm_user_report structure to userspace. A local user can trigger the affected code path to disclose sensitive information.
The issue is caused by uninitialized padding bytes in the structure being exposed to userspace.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9
- https://git.kernel.org/stable/c/0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72
- https://git.kernel.org/stable/c/6c55714c931051cd7f4839c19ce0867179fd22fe
- https://git.kernel.org/stable/c/716c546e88cfe49d841658240e10cb57bc50a2cc
- https://git.kernel.org/stable/c/d10119968d0e1f2b669604baf2a8b5fdb72fa6b4
- https://git.kernel.org/stable/c/d27c02eec529f78055a46a5c9e6c62684382b2d8
- https://git.kernel.org/stable/c/e0c8542c3d097ed4205ded51868195d5d6ddac62
- https://git.kernel.org/stable/c/ff5ee507302303b15859753c3e0d67d38fd12c88