{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31664","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.129Z","datePublished":"2026-04-24T14:45:13.922Z","dateUpdated":"2026-05-11T22:13:11.995Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:13:11.995Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: clear trailing padding in build_polexpire()\n\nbuild_expire() clears the trailing padding bytes of struct\nxfrm_user_expire after setting the hard field via memset_after(),\nbut the analogous function build_polexpire() does not do this for\nstruct xfrm_user_polexpire.\n\nThe padding bytes after the __u8 hard field are left\nuninitialized from the heap allocation, and are then sent to\nuserspace via netlink multicast to XFRMNLGRP_EXPIRE listeners,\nleaking kernel heap memory contents.\n\nAdd the missing memset_after() call, matching build_expire()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/xfrm/xfrm_user.c"],"versions":[{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"ac6985903db047eaff54db929e4bf6b06782788e","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"c221ed63a2769a0af8bd849dfe25740048f34ef4","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"eda30846ea54f8ed218468e5480c8305ca645e37","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"b1dfd6b27df35ef4f87825aa5f607378d23ff0f2","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"e1af65c669ebb1666c54576614c01a7f9ffcfff6","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"71a98248c63c535eaa4d4c22f099b68d902006d0","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/xfrm/xfrm_user.c"],"versions":[{"version":"2.6.12","status":"affected"},{"version":"0","lessThan":"2.6.12","status":"unaffected","versionType":"semver"},{"version":"6.1.169","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.135","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.82","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.23","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.13","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.1.169"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.6.135"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.12.82"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.18.23"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.19.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ac6985903db047eaff54db929e4bf6b06782788e"},{"url":"https://git.kernel.org/stable/c/c221ed63a2769a0af8bd849dfe25740048f34ef4"},{"url":"https://git.kernel.org/stable/c/eda30846ea54f8ed218468e5480c8305ca645e37"},{"url":"https://git.kernel.org/stable/c/b1dfd6b27df35ef4f87825aa5f607378d23ff0f2"},{"url":"https://git.kernel.org/stable/c/e1af65c669ebb1666c54576614c01a7f9ffcfff6"},{"url":"https://git.kernel.org/stable/c/71a98248c63c535eaa4d4c22f099b68d902006d0"}],"title":"xfrm: clear trailing padding in build_polexpire()","x_generator":{"engine":"bippy-1.2.0"}}}}