HOMEVULNERABILITIESCVE-2026-31427
NONE

CVE-2026-31427

Published: April 13, 2026· Updated: Apr 18, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:6.6th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp

process_sdp() declares union nf_inet_addr rtp_addr on the stack and

passes it to the nf_nat_sip sdp_session hook after walking the SDP

media descriptions. However rtp_addr is only initialized inside the

media loop when a recognized media type with a non-zero port is found.

If the SDP body contains no m= lines, only inactive media sections

(m=audio 0 ...) or only unrecognized media types, rtp_addr is never

assigned. Despite that, the function still calls hooks->sdp_session()

with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack

value as an IP address and rewrite the SDP session owner and connection

lines with it.

With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this

results in the session-level o= and c= addresses being rewritten to

0.0.0.0 for inactive SDP sessions. Without stack auto-init the

rewritten address is whatever happened to be on the stack.

Fix this by pre-initializing rtp_addr from the session-level connection

address (caddr) when available, and tracking via a have_rtp_addr flag

whether any valid address was established. Skip the sdp_session hook

entirely when no valid address exists.

NVD Source

Technical Analysis

CVE-2026-31427 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-31427
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 13, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31427 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.