Linux Kernel Vulnerability Affecting Netlink Multicast Functionality
CVE-2026-31664

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-31664?

A vulnerability within the Linux kernel's networking stack permits leakage of kernel heap memory contents due to uninitialized padding bytes in the struct xfrm_user_polexpire. The build_polexpire() function neglects to clear these trailing bytes, leading to exposure of sensitive data to user space applications listening on the XFRMNLGRP_EXPIRE netlink multicast group. This issue can potentially be exploited to glean information about the kernel's memory state, presenting a risk of unintended data exposure.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

References

https://git.kernel.org/stable/c/ac6985903db047eaff54db929...

https://git.kernel.org/stable/c/c221ed63a2769a0af8bd849df...

https://git.kernel.org/stable/c/eda30846ea54f8ed218468e54...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31664 Data

JSON