CVE-2026-31428 Overview
A memory information disclosure vulnerability exists in the Linux kernel's netfilter subsystem within the nfnetlink_log module. The __build_packet_message() function manually constructs the NFULA_PAYLOAD netlink attribute using skb_put() and skb_copy_bits(), bypassing the standard nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes are allocated (including NLA alignment padding), only data_len bytes of actual packet data are copied. The trailing nla_padlen(data_len) bytes (1-3 bytes when data_len is not 4-byte aligned) are never initialized, leaking stale heap contents to userspace via the NFLOG netlink socket.
Critical Impact
Uninitialized kernel heap memory is exposed to userspace applications through the NFLOG netlink socket, potentially leaking sensitive kernel data.
Affected Products
- Linux kernel (multiple versions with nfnetlink_log module)
- Systems using netfilter NFLOG target for packet logging
- Network monitoring applications relying on NFULA_PAYLOAD attributes
Discovery Timeline
- 2026-04-13 - CVE CVE-2026-31428 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-31428
Vulnerability Analysis
This vulnerability is classified as an Uninitialized Memory Use issue in the Linux kernel's netfilter logging subsystem. The root cause lies in the manual construction of netlink attributes without proper memory initialization.
When the __build_packet_message() function builds the NFULA_PAYLOAD attribute, it allocates memory using nla_total_size(data_len) which accounts for NLA alignment padding to ensure 4-byte alignment. However, the actual packet data copy via skb_copy_bits() only fills data_len bytes, leaving the padding bytes (1-3 bytes depending on alignment) in an uninitialized state containing stale heap contents.
This information leak occurs through the NFLOG netlink socket, which is accessible to userspace applications that have appropriate permissions to receive netlink messages. The leaked data could potentially contain sensitive kernel memory contents, though exploitation requires local access and appropriate privileges to read from the NFLOG socket.
Root Cause
The vulnerability stems from bypassing the standard netlink attribute helper functions (nla_reserve() and nla_put()) which properly handle memory initialization. The manual attribute construction using skb_put() allocates the required space but does not zero out the alignment padding bytes. The nla_reserve() helper includes built-in padding zeroing via __nla_reserve(), which the vulnerable code path circumvents.
Attack Vector
The attack vector requires local access to the system with permissions to read from the NFLOG netlink socket. An attacker with such access could:
- Configure the NFLOG target to capture specific network traffic
- Receive packets via the NFLOG netlink socket
- Examine the padding bytes in NFULA_PAYLOAD attributes
- Extract uninitialized heap memory contents leaked in the 1-3 padding bytes
The vulnerability is triggered when packet payloads have lengths that are not 4-byte aligned, causing the padding bytes to remain uninitialized.
Detection Methods for CVE-2026-31428
Indicators of Compromise
- Unexpected access patterns to NFLOG netlink sockets from non-standard processes
- Unusual NFLOG target configurations in iptables/nftables rules
- Processes attempting to parse NFULA_PAYLOAD padding bytes
- Memory analysis showing heap data extraction attempts through netlink interfaces
Detection Strategies
- Monitor for unusual netlink socket activity on NETLINK_NETFILTER family
- Implement system call auditing for socket() calls creating netlink sockets
- Review iptables/nftables configurations for unexpected NFLOG targets
- Deploy kernel-level monitoring to detect access to netfilter logging subsystem
Monitoring Recommendations
- Enable audit logging for netlink socket operations
- Monitor /proc/net/netfilter/nf_log for configuration changes
- Implement network security monitoring for NFLOG usage patterns
- Review kernel logs for netfilter-related messages
How to Mitigate CVE-2026-31428
Immediate Actions Required
- Apply the latest kernel security patches from your distribution
- Review and restrict access to NFLOG netlink sockets where possible
- Audit systems for unnecessary NFLOG configurations
- Monitor for exploitation attempts targeting this vulnerability
Patch Information
The Linux kernel developers have released patches to address this vulnerability. The fix replaces the manual attribute construction with nla_reserve(), which handles the tailroom check, header setup, and padding zeroing via __nla_reserve(). The subsequent skb_copy_bits() fills in the payload data on top of the properly initialized attribute.
Patches are available through the following kernel git commits:
- Kernel Git Commit 52025eb
- Kernel Git Commit 7eff729
- Kernel Git Commit a2f6ff3
- Kernel Git Commit a8365d1
- Kernel Git Commit c9f6c51
- Kernel Git Commit fc961dd
Workarounds
- Disable NFLOG targets if not required for operational purposes
- Restrict access to the NFLOG netlink socket using SELinux or AppArmor policies
- Implement network namespace isolation to limit exposure
- Consider removing or blacklisting the nfnetlink_log module if NFLOG functionality is not needed
# Disable nfnetlink_log module (if not required)
modprobe -r nfnetlink_log
echo "blacklist nfnetlink_log" >> /etc/modprobe.d/blacklist-nfnetlink.conf
# Check for existing NFLOG rules
iptables -L -n -v | grep NFLOG
nft list ruleset | grep log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
