CVE-2026-31664
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
In the Linux kernel, a vulnerability in the build_polexpire() function of the xfrm subsystem fails to clear trailing padding bytes after the 'hard' field in the xfrm_user_polexpire structure, leaking uninitialized heap memory to userspace via netlink multicast.
Risk Assessment
The organization risks exposure of sensitive kernel memory contents, such as passwords or cryptographic keys, potentially leading to privilege escalation or confidentiality breaches.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit adding memset_after() in build_polexpire()). A system reboot is required after the update.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: xfrm: clear trailing padding in build_polexpire() build_expire() clears the trailing padding bytes of struct xfrm_user_expire after setting the hard field via memset_after(), but the analogous function build_polexpire() does not do this for struct xfrm_user_polexpire. The padding bytes after the __u8 hard field are left uninitialized from the heap allocation, and are then sent to userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners, leaking kernel heap memory contents. Add the missing memset_after() call, matching build_expire().

