{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31427", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.088Z", "datePublished": "2026-04-13T13:40:30.280Z", "dateUpdated": "2026-05-11T22:08:29.865Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:08:29.865Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp\n\nprocess_sdp() declares union nf_inet_addr rtp_addr on the stack and\npasses it to the nf_nat_sip sdp_session hook after walking the SDP\nmedia descriptions. However rtp_addr is only initialized inside the\nmedia loop when a recognized media type with a non-zero port is found.\n\nIf the SDP body contains no m= lines, only inactive media sections\n(m=audio 0 ...) or only unrecognized media types, rtp_addr is never\nassigned. Despite that, the function still calls hooks->sdp_session()\nwith &rtp_addr, causing nf_nat_sdp_session() to format the stale stack\nvalue as an IP address and rewrite the SDP session owner and connection\nlines with it.\n\nWith CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this\nresults in the session-level o= and c= addresses being rewritten to\n0.0.0.0 for inactive SDP sessions. Without stack auto-init the\nrewritten address is whatever happened to be on the stack.\n\nFix this by pre-initializing rtp_addr from the session-level connection\naddress (caddr) when available, and tracking via a have_rtp_addr flag\nwhether any valid address was established. Skip the sdp_session hook\nentirely when no valid address exists."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_sip.c"], "versions": [{"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9", "lessThan": "faa6ea32797a1847790514ff0da1be1d09771580", "status": "affected", "versionType": "git"}, {"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9", "lessThan": "82baeb871e8f04906bc886273fdf0209e1754eb3", "status": "affected", "versionType": "git"}, {"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9", "lessThan": "6e5e3c87b7e6212f1d8414fc2e4d158b01e12025", "status": "affected", "versionType": "git"}, {"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9", "lessThan": "fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6", "status": "affected", "versionType": "git"}, {"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9", "lessThan": "7edca70751b9bdb5b83eed53cde21eccf3c86147", "status": "affected", "versionType": "git"}, {"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9", "lessThan": "01f34a80ac23ae90b1909b94b4ed05343a62f646", "status": "affected", "versionType": "git"}, {"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9", "lessThan": "52fdda318ef2362fc5936385bcb8b3d0328ee629", "status": "affected", "versionType": "git"}, {"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9", "lessThan": "6a2b724460cb67caed500c508c2ae5cf012e4db4", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_sip.c"], "versions": [{"version": "2.6.26", "status": "affected"}, {"version": "0", "lessThan": "2.6.26", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/faa6ea32797a1847790514ff0da1be1d09771580"}, {"url": "https://git.kernel.org/stable/c/82baeb871e8f04906bc886273fdf0209e1754eb3"}, {"url": "https://git.kernel.org/stable/c/6e5e3c87b7e6212f1d8414fc2e4d158b01e12025"}, {"url": "https://git.kernel.org/stable/c/fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6"}, {"url": "https://git.kernel.org/stable/c/7edca70751b9bdb5b83eed53cde21eccf3c86147"}, {"url": "https://git.kernel.org/stable/c/01f34a80ac23ae90b1909b94b4ed05343a62f646"}, {"url": "https://git.kernel.org/stable/c/52fdda318ef2362fc5936385bcb8b3d0328ee629"}, {"url": "https://git.kernel.org/stable/c/6a2b724460cb67caed500c508c2ae5cf012e4db4"}], "title": "netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp\n\nprocess_sdp() declares union nf_inet_addr rtp_addr on the stack and\npasses it to the nf_nat_sip sdp_session hook after walking the SDP\nmedia descriptions. However rtp_addr is only initialized inside the\nmedia loop when a recognized media type with a non-zero port is found.\n\nIf the SDP body contains no m= lines, only inactive media sections\n(m=audio 0 ...) or only unrecognized media types, rtp_addr is never\nassigned. Despite that, the function still calls hooks->sdp_session()\nwith &rtp_addr, causing nf_nat_sdp_session() to format the stale stack\nvalue as an IP address and rewrite the SDP session owner and connection\nlines with it.\n\nWith CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this\nresults in the session-level o= and c= addresses being rewritten to\n0.0.0.0 for inactive SDP sessions. Without stack auto-init the\nrewritten address is whatever happened to be on the stack.\n\nFix this by pre-initializing rtp_addr from the session-level connection\naddress (caddr) when available, and tracking via a have_rtp_addr flag\nwhether any valid address was established. Skip the sdp_session hook\nentirely when no valid address exists."}], "id": "CVE-2026-31427", "lastModified": "2026-04-18T09:16:32.817", "metrics": {}, "published": "2026-04-13T14:16:12.783", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/01f34a80ac23ae90b1909b94b4ed05343a62f646"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/52fdda318ef2362fc5936385bcb8b3d0328ee629"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6a2b724460cb67caed500c508c2ae5cf012e4db4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6e5e3c87b7e6212f1d8414fc2e4d158b01e12025"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7edca70751b9bdb5b83eed53cde21eccf3c86147"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/82baeb871e8f04906bc886273fdf0209e1754eb3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/faa6ea32797a1847790514ff0da1be1d09771580"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp", "id": "2457842", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457842"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-824", "details": ["A flaw was found in the Linux kernel's netfilter subsystem, specifically within the nf_conntrack_sip module. This vulnerability occurs in the process_sdp function when the rtp_addr variable is used without proper initialization if the Session Description Protocol (SDP) body lacks recognized media types or active media sections. A remote attacker could potentially exploit this by sending specially crafted SDP messages, leading to the rewriting of session-level owner and connection addresses with uninitialized or stale stack values. This could result in information disclosure or unexpected network behavior, potentially causing a denial of service."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent the `nf_conntrack_sip` module from being loaded when SIP helper/NAT is not required. See https://access.redhat.com/solutions/41278 for instructions."}, "name": "CVE-2026-31427", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31427\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31427\nhttps://lore.kernel.org/linux-cve-announce/2026041357-CVE-2026-31427-1afe@gregkh/T"], "statement": "The bug is confined to SIP sessions handled by the connection-tracking helper and NAT SDP hooks. It requires SIP traffic traversing a host with `nf_conntrack_sip` (and relevant NAT) loaded. Integrity of signaling is affected; remote attackers who can pass SDP through the helper can influence rewritten addresses. Scope should be reviewed against whether IPv4/IPv6 SIP transit applies (network vs. strictly local control plane).", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4ab9e64e5e3c0516577818804aaf13a630d67bc9,6e5e3c87b7e6212f1d8414fc2e4d158b01e12025)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4ab9e64e5e3c0516577818804aaf13a630d67bc9,fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4ab9e64e5e3c0516577818804aaf13a630d67bc9,7edca70751b9bdb5b83eed53cde21eccf3c86147)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4ab9e64e5e3c0516577818804aaf13a630d67bc9,01f34a80ac23ae90b1909b94b4ed05343a62f646)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4ab9e64e5e3c0516577818804aaf13a630d67bc9,52fdda318ef2362fc5936385bcb8b3d0328ee629)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4ab9e64e5e3c0516577818804aaf13a630d67bc9,6a2b724460cb67caed500c508c2ae5cf012e4db4)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.26"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.26)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-14T01:37:12.513957+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that contains the fix for the nf_conntrack_sip uninitialized rtp_addr bug.", "If a kernel upgrade is not immediately possible, disable or unload the nf_nat_sip module or SIP NAT functionality in netfilter until a patched kernel is deployed.", "Verify that the system\u2019s netfilter configuration does not enable the nf_nat_sip module and monitor for anomalous SIP traffic containing 0.0.0.0 addresses.", "Contact the distribution vendor for patch availability or update instructions if the system is using a custom kernel build."], "summary": {"action": "Apply Patch", "impact": "Modification of SIP session addresses leading to misconfiguration or denial of service"}, "threat_synthesis": {"affected_systems": "All Linux kernel distributions that include the netfilter nf_conntrack_sip code before the recent commit are affected. The vulnerability applies to the Linux kernel itself, regardless of specific vendor, and affects any systems that employ SIP NAT functionality via nf_conntrack_sip. Version details are not explicitly listed, so any kernel that has not applied the patch is potentially vulnerable.", "description_and_impact": "The uninitialized stack variable rtp_addr in the Linux kernel\u2019s netfilter nf_conntrack_sip module causes nf_nat_sip to format a stale stack value into an IP address and rewrite the session owner and connection lines of SIP messages with it. The result is that SIP sessions may be incorrectly configured with 0.0.0.0 or a garbage address, leading to connectivity failures, misrouting of media streams, or a denial of service to SIP clients.", "risk_and_exploitability": "The CVSS score of 5.8 indicates moderate severity. Although there is no EPSS data or KEV listing, the vulnerability can be exploited by an attacker who can send crafted SIP packets to a node running the vulnerable kernel, causing the kernel to rewrite session addresses incorrectly. This makes a network\u2011oriented exploitation likely if the system processes SIP traffic, but active exploitation has not been reported."}}}}, "created": "2026-04-14T16:19:12.965668+00:00", "updated": "2026-04-14T16:34:21.412062+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}