{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31671", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.130Z", "datePublished": "2026-04-24T14:45:18.669Z", "dateUpdated": "2026-05-11T22:13:23.374Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:13:23.374Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm_user: fix info leak in build_report()\n\nstruct xfrm_user_report is a __u8 proto field followed by a struct\nxfrm_selector which means there is three \"empty\" bytes of padding, but\nthe padding is never zeroed before copying to userspace. Fix that up by\nzeroing the structure before setting individual member variables."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xfrm/xfrm_user.c"], "versions": [{"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5", "lessThan": "d27c02eec529f78055a46a5c9e6c62684382b2d8", "status": "affected", "versionType": "git"}, {"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5", "lessThan": "716c546e88cfe49d841658240e10cb57bc50a2cc", "status": "affected", "versionType": "git"}, {"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5", "lessThan": "0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9", "status": "affected", "versionType": "git"}, {"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5", "lessThan": "e0c8542c3d097ed4205ded51868195d5d6ddac62", "status": "affected", "versionType": "git"}, {"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5", "lessThan": "ff5ee507302303b15859753c3e0d67d38fd12c88", "status": "affected", "versionType": "git"}, {"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5", "lessThan": "6c55714c931051cd7f4839c19ce0867179fd22fe", "status": "affected", "versionType": "git"}, {"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5", "lessThan": "0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72", "status": "affected", "versionType": "git"}, {"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5", "lessThan": "d10119968d0e1f2b669604baf2a8b5fdb72fa6b4", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xfrm/xfrm_user.c"], "versions": [{"version": "2.6.19", "status": "affected"}, {"version": "0", "lessThan": "2.6.19", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.169", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "6.1.169"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.19", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d27c02eec529f78055a46a5c9e6c62684382b2d8"}, {"url": "https://git.kernel.org/stable/c/716c546e88cfe49d841658240e10cb57bc50a2cc"}, {"url": "https://git.kernel.org/stable/c/0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9"}, {"url": "https://git.kernel.org/stable/c/e0c8542c3d097ed4205ded51868195d5d6ddac62"}, {"url": "https://git.kernel.org/stable/c/ff5ee507302303b15859753c3e0d67d38fd12c88"}, {"url": "https://git.kernel.org/stable/c/6c55714c931051cd7f4839c19ce0867179fd22fe"}, {"url": "https://git.kernel.org/stable/c/0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72"}, {"url": "https://git.kernel.org/stable/c/d10119968d0e1f2b669604baf2a8b5fdb72fa6b4"}], "title": "xfrm_user: fix info leak in build_report()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "59C4CD77-5444-4760-B0D8-F238740397B4", "versionEndExcluding": "5.10.253", "versionStartIncluding": "2.6.19.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBEC0E5D-641C-4E98-A6D9-5799B10CE451", "versionEndExcluding": "6.1.169", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15C1A1B2-14EE-494C-AF3E-D5A7BA640B39", "versionEndExcluding": "6.6.135", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307", "versionEndExcluding": "6.12.82", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F", "versionEndExcluding": "6.18.23", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.19:-:*:*:*:*:*:*", "matchCriteriaId": "9E2DBD4C-9DD9-4DD3-87CB-A0070A789CEA", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm_user: fix info leak in build_report()\n\nstruct xfrm_user_report is a __u8 proto field followed by a struct\nxfrm_selector which means there is three \"empty\" bytes of padding, but\nthe padding is never zeroed before copying to userspace. Fix that up by\nzeroing the structure before setting individual member variables."}], "id": "CVE-2026-31671", "lastModified": "2026-04-27T20:11:39.153", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:46.903", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6c55714c931051cd7f4839c19ce0867179fd22fe"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/716c546e88cfe49d841658240e10cb57bc50a2cc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d10119968d0e1f2b669604baf2a8b5fdb72fa6b4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d27c02eec529f78055a46a5c9e6c62684382b2d8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e0c8542c3d097ed4205ded51868195d5d6ddac62"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ff5ee507302303b15859753c3e0d67d38fd12c88"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: xfrm_user: fix info leak in build_report()", "id": "2461534", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461534"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-908", "details": ["A flaw was found in the Linux kernel's xfrm_user component. This vulnerability allows a local attacker to disclose sensitive information. The xfrm_user_report structure contains uninitialized padding bytes that are copied to userspace, leading to an information leak."], "name": "CVE-2026-31671", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31671\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31671\nhttps://lore.kernel.org/linux-cve-announce/2026042407-CVE-2026-31671-c4b9@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5,d27c02eec529f78055a46a5c9e6c62684382b2d8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5,716c546e88cfe49d841658240e10cb57bc50a2cc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5,0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5,e0c8542c3d097ed4205ded51868195d5d6ddac62)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5,ff5ee507302303b15859753c3e0d67d38fd12c88)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5,6c55714c931051cd7f4839c19ce0867179fd22fe)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5,0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5,d10119968d0e1f2b669604baf2a8b5fdb72fa6b4)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.19"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,2.6.19)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.253,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.203,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.169,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.135,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.82,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.23,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.13,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T13:41:46.133433+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that contains the commit that zeroes the padding bytes before copying the structure to userspace.", "If an update is not immediately possible, restrict or disable access to the XFRM subsystem by configuring the kernel\u2019s capability settings or using system hardening tools such as SELinux or AppArmor to block untrusted processes from calling XFRM interfaces.", "Apply general kernel hardening measures, such as enabling mm\u2011petc and grsecurity patches or setting \"vm.mmap_min_addr\" and \"kernel.kptr_restrict\" to harden memory exposure, which can reduce the impact of the padding leak."], "summary": {"action": "Update Kernel", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that predate the patch through commit 0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9 are affected, including the 2.6.19 series and the 7.0 release candidates (rc1 through rc7). A system running any of these kernel versions without the fix is susceptible; newer mainstream releases that incorporate the commit are not affected.", "description_and_impact": "The Linux kernel\u2019s XFRM component contains a data structure that, when reported via build_report(), is copied to userspace without zeroing its three padding bytes. Those bytes can contain leftover kernel data, allowing an attacker to read arbitrary kernel memory. This constitutes an information\u2011disclosure flaw classified as a memory\u2011leak (CWE\u2011401). The vulnerability reveals private data that can be used to assist further attacks rather than directly escalating privileges.", "risk_and_exploitability": "With a CVSS score of 5.5 the vulnerability is of moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Exploitation would most likely occur through the XFRM subsystem, which is normally restricted to privileged users or processes with specific capabilities. While the flaw does not provide direct privilege escalation, the information exposed could aid an attacker in constructing more damaging exploits."}}}}, "created": "2026-04-27T21:45:14.290155+00:00", "updated": "2026-04-28T13:45:06.142917+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}