CVE-2026-31664
Published: Apr 24, 2026
Modified: Jun 1, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: clear trailing padding in build_polexpire() build_expire() clears the trailing padding bytes of struct xfrm_user_expire after setting the hard field via memset_after(), but the analogous function build_polexpire() does not do this for struct xfrm_user_polexpire. The padding bytes after the __u8 hard field are left uninitialized from the heap allocation, and are then sent to userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners, leaking kernel heap memory contents. Add the missing memset_after() call, matching build_expire().
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - < a5127501c8d30b5728791b1e340284ca5c9cc4bdaffected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - < e6f4ffe8596947a595c9544e73a73adcb0568b88affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - < ac6985903db047eaff54db929e4bf6b06782788eaffected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - < c221ed63a2769a0af8bd849dfe25740048f34ef4affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - < eda30846ea54f8ed218468e5480c8305ca645e37+3 more versions |
Linux | Linux | affected 2.6.12unaffected 0 - < 2.6.12unaffected 5.10.258 - <= 5.10.*unaffected 5.15.209 - <= 5.15.*unaffected 6.1.169 - <= 6.1.*+5 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now