CVE Catalog

CVE-2026-31664

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

2th percentile - higher than 2% of all known CVEs

Summary

In the Linux kernel, a vulnerability in the build_polexpire() function of the xfrm subsystem fails to clear trailing padding bytes after the 'hard' field in the xfrm_user_polexpire structure, leaking uninitialized heap memory to userspace via netlink multicast.

Risk Assessment

The organization risks exposure of sensitive kernel memory contents, such as passwords or cryptographic keys, potentially leading to privilege escalation or confidentiality breaches.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit adding memset_after() in build_polexpire()). A system reboot is required after the update.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: xfrm: clear trailing padding in build_polexpire() build_expire() clears the trailing padding bytes of struct xfrm_user_expire after setting the hard field via memset_after(), but the analogous function build_polexpire() does not do this for struct xfrm_user_polexpire. The padding bytes after the __u8 hard field are left uninitialized from the heap allocation, and are then sent to userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners, leaking kernel heap memory contents. Add the missing memset_after() call, matching build_expire().

Vulnerability data from NVD (NIST) · CISA KEV · EPSS