CVE-2026-31427EXPLOITEDPATCHED

linux · linux kernel

netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp process_sdp() declares union nf_inet_addr rtp_addr on the stack and passes it to the nf_nat_sip sdp_session hook after walking the SDP media descriptions. However rtp_addr is only initialized inside the media loop when a recognized media type with a non-zero port is found. If the SDP body contains no m= lines, only inactive media sections (m=audio 0 ...) or only unrecognized media types, rtp_addr is never assigned. Despite that, the function still calls hooks->sdp_session() with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack value as an IP address and rewrite the SDP session owner and connection lines with it. With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this results in the session-level o= and c= addresses being rewritten to 0.0.0.0 for inactive SDP sessions. Without stack auto-init the rewritten address is whatever happened to be on the stack. Fix this by pre-initializing rtp_addr from the session-level connection address (caddr) when available, and tracking via a have_rtp_addr flag whether any valid address was established. Skip the sdp_session hook entirely when no valid address exists.

Affected Products

Vendor	Product	Versions
linux	linux kernel	4ab9e64e5e3c0516577818804aaf13a630d67bc9, 4ab9e64e5e3c0516577818804aaf13a630d67bc9, 4ab9e64e5e3c0516577818804aaf13a630d67bc9, 4ab9e64e5e3c0516577818804aaf13a630d67bc9, 4ab9e64e5e3c0516577818804aaf13a630d67bc9, 4ab9e64e5e3c0516577818804aaf13a630d67bc9, 4ab9e64e5e3c0516577818804aaf13a630d67bc9, 4ab9e64e5e3c0516577818804aaf13a630d67bc9, 2.6.26

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
linux	linux	mitre_affected	90%
open source	open source linux kernel	cert_advisory	90%

References

Related News (4 articles)

Tier B

BSI Advisories6d ago

[NEU] [mittel] Linux Kernel: Mehrere Schwachstellen

→ No new info (linked only)

Tier A

Microsoft MSRC6d ago

CVE-2026-31427 netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp

→ No new info (linked only)

Tier C

VulDB7d ago

CVE-2026-31427 | Linux Kernel up to 6.1.167/6.6.130/6.12.79/6.18.20/6.19.10 nf_conntrack_sip process_sdp uninitialized pointer

→ No new info (linked only)

Tier C

Linux Kernel CVEs7d ago

CVE-2026-31427: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp

→ No new info (linked only)

CVSS 3.10.0 NONE

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

6e5e3c87b7e6212f1d8414fc2e4d158b01e12025fe463e76c9b4b0b43b5ee8961b4c500231f1a3f67edca70751b9bdb5b83eed53cde21eccf3c8614701f34a80ac23ae90b1909b94b4ed05343a62f64652fdda318ef2362fc5936385bcb8b3d0328ee6296a2b724460cb67caed500c508c2ae5cf012e4db406.1.1686.6.1316.12.806.18.216.19.117.0

PublishedApr 13, 2026

Last enriched6d agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-31430EXP

X.509: Fix out-of-bounds access when parsing extensions

Trending: 64

HIGHCVE-2026-23400EXP

rust_binder: call set_notification_done() without proc lock

Trending: 63

NONECVE-2026-31429

net: skb: fix cross-cache free of KFENCE-allocated skb head

Trending: 35

NONECVE-2026-23398EXP

icmp: fix NULL pointer dereference in icmp_tag_validation()

Trending: 29

NONECVE-2026-31416EXP

netfilter: nfnetlink_log: account for netlink header size

Trending: 27

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 13, 2026

Discovered by ZDM

Apr 13, 2026

Updated: affectedVersions, cvssEstimate, cweIds, tags

Apr 13, 2026

Updated: severity, affectedVersions, activelyExploited

Apr 13, 2026

Actively Exploited

Apr 18, 2026

Patch Available

Apr 18, 2026

Version History

Last enriched 6d ago

v3Tier C6d ago

Updated severity to CRITICAL, added new affected versions, and corrected exploit availability.

severityaffectedVersionsactivelyExploited

via VulDB

v2Tier C7d ago

Updated description with more technical detail, added affected version 2.6.26, changed severity to HIGH, added CWE-758, and marked exploit as available and actively exploited.

affectedVersionscvssEstimatecweIdstags

via Linux Kernel CVEs

v17d ago

Initial creation