CVE-2026-31428

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD<br /> <br /> __build_packet_message() manually constructs the NFULA_PAYLOAD netlink<br /> attribute using skb_put() and skb_copy_bits(), bypassing the standard<br /> nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes<br /> are allocated (including NLA alignment padding), only data_len bytes<br /> of actual packet data are copied. The trailing nla_padlen(data_len)<br /> bytes (1-3 when data_len is not 4-byte aligned) are never initialized,<br /> leaking stale heap contents to userspace via the NFLOG netlink socket.<br /> <br /> Replace the manual attribute construction with nla_reserve(), which<br /> handles the tailroom check, header setup, and padding zeroing via<br /> __nla_reserve(). The subsequent skb_copy_bits() fills in the payload<br /> data on top of the properly initialized attribute.