CVE-2026-31427

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp<br /> <br /> process_sdp() declares union nf_inet_addr rtp_addr on the stack and<br /> passes it to the nf_nat_sip sdp_session hook after walking the SDP<br /> media descriptions. However rtp_addr is only initialized inside the<br /> media loop when a recognized media type with a non-zero port is found.<br /> <br /> If the SDP body contains no m= lines, only inactive media sections<br /> (m=audio 0 ...) or only unrecognized media types, rtp_addr is never<br /> assigned. Despite that, the function still calls hooks-&gt;sdp_session()<br /> with &amp;rtp_addr, causing nf_nat_sdp_session() to format the stale stack<br /> value as an IP address and rewrite the SDP session owner and connection<br /> lines with it.<br /> <br /> With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this<br /> results in the session-level o= and c= addresses being rewritten to<br /> 0.0.0.0 for inactive SDP sessions. Without stack auto-init the<br /> rewritten address is whatever happened to be on the stack.<br /> <br /> Fix this by pre-initializing rtp_addr from the session-level connection<br /> address (caddr) when available, and tracking via a have_rtp_addr flag<br /> whether any valid address was established. Skip the sdp_session hook<br /> entirely when no valid address exists.