Improper Initialization in Linux kernel - CVE-2026-31671
Published: April 25, 2026
Vulnerability identifier: #VU127733
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-31671
CWE-ID: CWE-665
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper initialization in build_report() when copying a xfrm_user_report structure to userspace. A local user can trigger the affected code path to disclose sensitive information.
The issue is caused by uninitialized padding bytes in the structure being exposed to userspace.
How to mitigate CVE-2026-31671
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9
- https://git.kernel.org/stable/c/0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72
- https://git.kernel.org/stable/c/6c55714c931051cd7f4839c19ce0867179fd22fe
- https://git.kernel.org/stable/c/716c546e88cfe49d841658240e10cb57bc50a2cc
- https://git.kernel.org/stable/c/d10119968d0e1f2b669604baf2a8b5fdb72fa6b4
- https://git.kernel.org/stable/c/d27c02eec529f78055a46a5c9e6c62684382b2d8
- https://git.kernel.org/stable/c/e0c8542c3d097ed4205ded51868195d5d6ddac62
- https://git.kernel.org/stable/c/ff5ee507302303b15859753c3e0d67d38fd12c88