Vulnerability in Linux Kernel Affects Netfilter Component
CVE-2026-31427

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 13 April 2026

What is CVE-2026-31427?

A vulnerability in the Linux kernel's Netfilter component could allow for the use of uninitialized memory related to SIP session handling. The issue arises within the process_sdp() function, where an uninitialized union variable, rtp_addr, is passed to the nf_nat_sip sdp_session hook. This occurs when the SDP body either lacks valid media lines or contains only inactive or unrecognized media types. As a consequence, the function might invoke the hook with a volatile stack value, which can lead to misconfiguration of session-level addresses in the SDP. To patch this, developers have implemented a fix that pre-initializes rtp_addr when possible and ensures that valid addresses are established before invoking the sdp_session hook.

Affected Version(s)

Linux 4ab9e64e5e3c0516577818804aaf13a630d67bc9 < 6e5e3c87b7e6212f1d8414fc2e4d158b01e12025

Linux 4ab9e64e5e3c0516577818804aaf13a630d67bc9

Linux 4ab9e64e5e3c0516577818804aaf13a630d67bc9 < 7edca70751b9bdb5b83eed53cde21eccf3c86147

References

https://git.kernel.org/stable/c/6e5e3c87b7e6212f1d8414fc2...

https://git.kernel.org/stable/c/fe463e76c9b4b0b43b5ee8961...

https://git.kernel.org/stable/c/7edca70751b9bdb5b83eed53c...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31427 Data

JSON