Linux kernel netfilter nf_conntrack_sip uninitialized rtp_addr bug
CVE-2026-31427 Published on April 13, 2026
netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
process_sdp() declares union nf_inet_addr rtp_addr on the stack and
passes it to the nf_nat_sip sdp_session hook after walking the SDP
media descriptions. However rtp_addr is only initialized inside the
media loop when a recognized media type with a non-zero port is found.
If the SDP body contains no m= lines, only inactive media sections
(m=audio 0 ...) or only unrecognized media types, rtp_addr is never
assigned. Despite that, the function still calls hooks->sdp_session()
with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack
value as an IP address and rewrite the SDP session owner and connection
lines with it.
With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this
results in the session-level o= and c= addresses being rewritten to
0.0.0.0 for inactive SDP sessions. Without stack auto-init the
rewritten address is whatever happened to be on the stack.
Fix this by pre-initializing rtp_addr from the session-level connection
address (caddr) when available, and tracking via a have_rtp_addr flag
whether any valid address was established. Skip the sdp_session hook
entirely when no valid address exists.
Products Associated with CVE-2026-31427
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 4ab9e64e5e3c0516577818804aaf13a630d67bc9 and below faa6ea32797a1847790514ff0da1be1d09771580 is affected.
- Version 4ab9e64e5e3c0516577818804aaf13a630d67bc9 and below 82baeb871e8f04906bc886273fdf0209e1754eb3 is affected.
- Version 4ab9e64e5e3c0516577818804aaf13a630d67bc9 and below 6e5e3c87b7e6212f1d8414fc2e4d158b01e12025 is affected.
- Version 4ab9e64e5e3c0516577818804aaf13a630d67bc9 and below fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6 is affected.
- Version 4ab9e64e5e3c0516577818804aaf13a630d67bc9 and below 7edca70751b9bdb5b83eed53cde21eccf3c86147 is affected.
- Version 4ab9e64e5e3c0516577818804aaf13a630d67bc9 and below 01f34a80ac23ae90b1909b94b4ed05343a62f646 is affected.
- Version 4ab9e64e5e3c0516577818804aaf13a630d67bc9 and below 52fdda318ef2362fc5936385bcb8b3d0328ee629 is affected.
- Version 4ab9e64e5e3c0516577818804aaf13a630d67bc9 and below 6a2b724460cb67caed500c508c2ae5cf012e4db4 is affected.
- Version 2.6.26 is affected.
- Before 2.6.26 is unaffected.
- Version 5.10.253, <= 5.10.* is unaffected.
- Version 5.15.203, <= 5.15.* is unaffected.
- Version 6.1.168, <= 6.1.* is unaffected.
- Version 6.6.131, <= 6.6.* is unaffected.
- Version 6.12.80, <= 6.12.* is unaffected.
- Version 6.18.21, <= 6.18.* is unaffected.
- Version 6.19.11, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.