Use of uninitialized resource in Linux kernel - CVE-2026-31664
Published: April 25, 2026
Vulnerability identifier: #VU127725
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-31664
CWE-ID: CWE-908
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to uninitialized memory exposure in build_polexpire() when sending netlink multicast notifications to XFRMNLGRP_EXPIRE listeners. A local user can receive a crafted expiration notification to disclose sensitive information.
The issue leaks trailing padding bytes from struct xfrm_user_polexpire to userspace.
How to mitigate CVE-2026-31664
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/71a98248c63c535eaa4d4c22f099b68d902006d0
- https://git.kernel.org/stable/c/ac6985903db047eaff54db929e4bf6b06782788e
- https://git.kernel.org/stable/c/b1dfd6b27df35ef4f87825aa5f607378d23ff0f2
- https://git.kernel.org/stable/c/c221ed63a2769a0af8bd849dfe25740048f34ef4
- https://git.kernel.org/stable/c/e1af65c669ebb1666c54576614c01a7f9ffcfff6
- https://git.kernel.org/stable/c/eda30846ea54f8ed218468e5480c8305ca645e37