CVE-2026-31428: nfnetlink_log Padding Leak in Linux NFLOG Explained

  • Thread Author
CVE-2026-31428 is a Linux kernel information disclosure flaw in the nfnetlink_log path, and it is a good example of how a very small bookkeeping mistake can still matter in production. The bug comes from manual construction of the NFULA_PAYLOAD netlink attribute: the kernel allocated enough space for the attribute plus alignment padding, but only initialized the actual payload bytes, leaving the final 1 to 3 padding bytes filled with stale heap data. That uninitialized tail was then exposed to userspace over the NFLOG netlink socket, turning an internal memory-management oversight into a real leak vector lance, this is not the kind of kernel bug that produces a dramatic crash or a flashy exploit chain. It is more subtle than that. The issue sits inside the netfilter logging machinery, where kernel-generated packet metadata is assembled for consumers in userspace. In practical terms, the flaw means a reader subscribed to NFLOG could receive fragments of data that were never meant to leave kernel memory in the first place
That detail matters not an obscure corner of the Linux networking stack. It is one of the major plumbing layers for firewalls, packet inspection, logging, and policy enforcement. When a subsystem like that mishandles padding bytes, the impact is often measured less by visible system failure and more by the integrity of the data path itself. A logging channel that leaks stale memory is still a security problem, even if the symptoms are quiet
The CVE record is also notable because it reflects the Linux kernel’s current disclosure pattern. The kernel project generally assigns CVEs after fixes land in stable trees, and the public record is tied to specific commits rather than vague issue statements. That means defenders get a concrete patch trail, but it also means the true operational significance depends on whether vendors have already backported the fix into their own kernel streams
Microsoft’s Security Update Guide has become one of the places where these Linux issues are surfaced for enterprise teams, even though the affected code is in the Linux kernel rather than Windows. For organizations that track multiple platforms in a single vulnerability workflow, that visibility is useful. It also reinforces a modern reality: Linux kernel bugs now land in the same operational inbox as Windows advisories, container runtime issues, and firmware updates

Background​

Netfilter is the kernel’s packet-filtering framework, and nfnetlink_log is one of the components that packages netfilter events for userspace listeners. Those listeners may include logging daemons, security tools, traffic inspection systems, or diagnostics pipelines. In other words, this is not just an internal implementation detail; it is part of how administrators observe and reason about network behavior
Netlink itself is a structured kernel-to-userspace protocol with strict message framing rules. That strictness is what makes the bug interesting. The kernel was not forgetting to allocate memory entirely; it was allocating the right amount of space, but then failing to initialize the padding bytes that remain when the payload length is not aligned to a 4-byte boundary. Those bytes are small in number, but they can still contain useful stale data from previous heap allocations
This kind of defect is a classic kernel hardening issue. It is not about a missing permission check or an obvious buffer overflow. It is about the correctness of the last ol object, which is exactly the sort of place where information disclosure bugs often hide. Kernel maintainers tend to treat those as worth fixing even when exploitation is not immediately obvious, because the kernel sits so close to privileged memory and so many downstream systems depend on it
The current advisory also shows how iterative Linux security work can be. The description explicitly frames this as a follow-up to a prior fix, which is common in mature code bases. One accounting problem gets repaired, then another corner case in the same path turns out to need attention as well. That does not mean the original effort failed; it means the subsystem was complex enough that the first correction exposed a second layer of technical debt
From a practical operations standpoint, that is exactly why kernel CVEs should never be judged only by their headline severity. A bug that leaks 1 to 3 bytes at a time may not sound serious in isolation. But if the code is part of a logging or telemetry chain, the issue is no longer about raw byte counts; it is about whether the system can safely expose what it is recording. That is a much broader question than the number of leaked bytes suggests

Why padding bugs are security bugs​

Alignment padding is easy to overlook because it is usually invisible. The kernel prepares a message, fills the payload, and assumes the remaining bytes are just structural overhead. But if those bytes are not cleared, they can carry whatever happened to sit in heap memory before the allocation. In a security-sensitive context, that is enough to become a leak primitive
The key distinction here is between allocated and initialized. The CVE description makes clear that the kernel used nla_total_size(data_len), which accounts for the payload plus alignment space, but only copied data_len bytes of actual packet content. The padding bytes were left untore of the vulnerability, and it is the reason the fix is so focused on using the proper helper rather than reworking the whole subsystem

What Went Wrong in nfnetlink_log​

The vulnerable code path was in __build_packet_message(), which manually assembled the NFULA_PAYLOAD attribute. Instead of using the standard netlink helpers, it used skb_put() and skb_copy_bits() directly. That approach bypassed the normal helper behavior thateader setup, tailroom checks, and zeroing of the padding region
That detail is important because the bug is not just “wrong output.” It is a mismatch between low-level implementation style and protocol expectations. Netlink attributes are meant to be constructed with helper routines precisely so that alignment, sizing, and padding semantics stay consistent. When code hand-rolls those details, ithile still leaving the last few bytes in an indeterminate state

The padding leak, in plain English​

If the payload length is not a multiple of 4, the attribute needs extra bytes so the next field begins on the correct boundary. Those extra bytes are the nla_padlen(data_len) portion. In this case, those bytes were never initialized before the netlink message was delivered to userspace. That is why the vulnerability is described as an uninitialized padding leak rather than a traditional buffer overwrite
The leak surface is small, but it is real. The bytes are stale heap contents, which means they may reveal fragments of unrelated kernel data. Even small disclosures can matter when they help an attacker infer memory layout, confirm internal state, or simply harvest data that should not have escaped the kernel boundary at all. Security teams should not dismiss that just because the leakper message
The fix is elegantly simple: replace the manual construction with nla_reserve(). That helper takes care of the tailroom check, attribute header, and padding initialization via __nla_reserve(). After that, the payload bytes can be copied safely on top of an already-initialized attribute, removing the leak without changing the meaning of the message

Why the manual path was risky​

Manual buffer construction in kernel code is always a tradeoff. It can be faster or more flexible in the moment, but it also increases the odds of getting a protocol edge case wrong. Padding is a perfect example: it exists for structural reasons, not functional ones, so it is easy to forget that it still needs to be initialized when the message leaves the kernel
That is why helper functions matter so my work. They encode the boring but critical rules once, and they do it consistently. When a developer bypasses them, the code may still compile and run perfectly, but it silently steps outside the guardrails that prevent leaks. This CVE is a reminder that the most damaging bugs are sometimes the least glamorous ones

How Serious Is the Exposure?​

At the time of the record’s publication, NVD a final CVSS score in its enrichment process. That means defenders do not yet have a standardized severity number to anchor response decisions, so the best guidance comes from the technical description and from an understanding of how nfnetlink_log is used in real environments
Tenable’s record currently lists the issue as medium, with CVSS v2 and v3 values that both land in moderate territory. That aligns with the technical reading: this is an information disclosure bug, not a remote code execution issue, and there is no public indication of arbitrary write or privilege escalation. Still, “medium” does not mean “ignore it,” especially when the affected path is part of logging or security telemetry
The real-world severity depends heavily on how the kernel is being used. On a geneon that never touches nfnetlink_log, exposure may be limited. On a firewall, gateway, container host, or observability appliance, however, the path may be part of an active operational workflow. In those cases, even a modest leak matters because it affects a path that defenders rely on to see what the system is doing

Enterprise versus consumer impact​

For enterprises, the issue is most relevant where Linux is doing security or telemetry work. That includes packet inspection hosts, embedded gateways, managed firewall appliances, and compliance systems that consume kernel-generated logs. If the logging pipeline is trusted to be complete, then even a small corruption of its output can undermine confidence in the entire control chain
For consumers, the direct risk is usually lower, but not zero. Many desktop users will never exercise the path, especially if they are not running custom network logging or packet analysis tools. But Linux is also embedded in routers, small office appliances, and consumer-adjacent infrastructure, so the “consumer” category is often misleading. The kernel path may be quiet, but the device may still be critical
A fair way to think about the vulnerability is that it is narrow in mechanism but broad in consequence. It does not threaten every Linux system equally, but where the path is active, it can expose memory that should remain private. That is enough to justify prompt patch review even without a dramatic exploit narrative

Why low-byte leaks still matter​

It is tempting to minimize a leak that only affects a few padding bytes. That instinct is understandable, but it is incomplete. Security work often depends on small signals, and those signals can be chained together. A tiny leak can confirm allocator behavior, rtent, or help an attacker reason about memory reuse patterns. In a kernel context, small mistakes scale surprisingly well
The other reason not to underreact is operational trust. Logging systems and monitoring systems are supposed to be boring and dependable. Once userspace starts receiving kernel memory that was never intended for it, that trust is weakened, even if the visible output looks mostly normal. A security tool is only as good as the integrity of the messages it receives

What the Fix Changes​

The patch itself is refreshingly narrow. It does not alter the higher-level behavior of nfnetlink_log. It changes how the attribute is reserved and populated so that the padding is zeroed before the payload is copied in. That is the right kind of fix for a bug like this because it removes the leak at the source instead of trying to sanitize output later
This kind of correction is also easier for maintainers to backport. The code path is specific, the behavior change is clear, and the security benefit is obvious. When a fix simply swaps a manual construct for a standard helper, downstream maintainers are more likely to carry it into stable branches without fear of changing unrelated networking behavior

Why helper functions are safer​

Kernel helper APIs are not just convenience wrappers. They encode invariant behavior that would otherwise need to be repeated in every caller. In this case, nla_reserve() ensures the attribute is laid out properly and that the necessary padding is initialized. That means future readers of the code do not need to reason about every alignment edge casn here extends well beyond netfilter. Manual packet construction often looks straightforward in a diff, but the hidden complexity is in the protocol details you are not seeing. Anything involving netlink, skbuffs, or alignment padding should set off alarm bells if it is not using the canonical helpers. That is especially true in code paths reachable from userspace
The patch also demonstrates a broader kernel security pattern: fix the structure, not just the symptom. Zeroing the padding is not merely a cosmetic cleanup. It restores the contract that userspace should receive only the packet data and whatever metadata is intentionally exposed. That is the kind of invisible correctness improvement that often matters most in kernel hardening

Why Netfilter Bugs Keep Reappeae of the oldest and most widely reused subsystems in Linux networking, which makes it powerful but also complicated. Over time, it has accumulated compatibility layers, legacy semantics, and multiple protocol families. That creates a lot of opportunities for subtle mistakes, especially when old assumptions meet newer packet-processing paths​

This is why netfilter CVEs often look small on the surface but point to larger maintenance themes underneath. The issues are rarely about one dramatic fault. More often they are about the friction between old abstractions and current use cases, or between internal helper expectations and manual code paths. CVE-2026-31428 fits that pattern very neatly

The observability angle​

One reason these bugs matter so much is that netfilter is deeply tied to observability. If the logging path leaks memory, drops events, or produces malformed output, the damage is not limited to the kernel. It can affect monitoring, compliance, forensic review, and incident response. In that sense, even a “small” bug can have a disproportionate operational impact
That makes nfnetlink_log especially sensitive. The subsystem exists to export packet information to userspace, which means it sits at a trust boundary. If the boundary is imperfect, the result may not be a crash; it may be a blind spot. For defenders, blind spots are often more dangerous than obvious failures because they are harder to detect and easier to exploit in silence
The broader lesson is that protocol correctness is a security control. When the kernel formats a message incorrectly, the consequence might be a rejection, a warning, or a leak. All three are meaningful. None of them should be treated as harmless just because the system keeps running

How Administrators Should Triage It​

Administrators should not treat CVE-2026-31428 as an emergency panic item, but they also should not bury it under a generic “later” label. The right response is a disciplined one: confirm kernel lineage, identify whether nfnetlink_log is in use, and verify whether the vendor kernel already contains the stable fix tied to the CVE
That matters because upstream status and deployed status are not the same thing. The Linux kernel community may have already published the fix, but most organizations do not run upstream source trees. They run distro kernels, appliance firmware, or vendor-maintained builds that lag behind by design. Until those streams pick up the patch, the practical exposure window remains open

Triage steps​

  • Confirm whether your kernel branch includes the backport associated with CVE-2026-31428.
  • Check whether your environment uses nfnetlink_log, NFLOG, or related kernel-side packet logging.
  • Review whether any monitoring or forensic tools depend on complete netfilter event delivery.
  • Validate vendor advisories rather than assuming upstream commit availability means you are covered.
  • Prioritize systems that act as firewalls, gateways, or observability appliances.
The practical rule is simple: if the path is not used, the risk is lower; if the path is central to your logging or enforcement stack, the risk is more meaningful. That is exactly the kind of nuance that kernel CVEs require. A one-size-fits-all urgency label usually misses more than it captures

Strengths and Opportunities​

The strongest aspect of this CVE is that the bug is well understood and the fix is surgically precise. That makes it easier for vendors to backport, easier for operators to verify, and easier for security teams to explain without overstating the risk. It is a classic example of how kernel hardening often advances through small, targeted corrections rather than sweeping rewrites
The broader opportunity is for maintainers and vendors to keep leaning on canonical helper APIs instead of handcrafted attribute assembly. That reduces the chance of similar padding mistakes in adjacent paths and improves long-term maintainability. It also makes future audits simpler because reviewers know where to look for invariants
  • The fix is narrow and low-risk to backport.
  • The vulnerability is easy to explain to operators.
  • The affected path is identifiable in production environments.
  • The issue reinforces best practices around netlink helper usage.
  • The CVE can improve vendor patch discipline across stable branches.
  • Microsoft’s disclosure channel increases visibility for mixed-platform enterprises.
  • The patch strengthens trust in logging integrity.
There is also an opportunity here for better internal validation of kernel telemetry paths. Teams that rely on nfnetlink_log should use this as a reminder to test whether their logging pipeline is actually receiving what it expects. Sometimes a tiny kernel fix exposes a bigger monitoring gap that had gone unnoticed for months

Risks and Concerns​

The main risk is underestimation. Because the bug is “only” a padding leak, it is easy for organizations to rank it below louder CVEs that involve crashes or remote code execution. That would be a mistake. Information disclosure in a privileged logging path can still have serious consequences, especially when it affects systems that support security monitoring or compliance workflows
A second concern is patch lag. Even after the fix is public, downstream vendors may take time to backport and certify it. That means older appliances and long-term support kernels can remain exposed long after the issue is known. For organizations with mixed fleets, that creates a quiet but real operational gap
  • Vulnerability scanners may not reflect local kernel backports accurately.
  • Teams may assume “medium severity” means low priority.
  • Observability pipelines may mask the impact until data is missing.
  • Embedded systems often update more slowly than servers.
  • Vendor kernels may diverge from upstream in ways that complicate verification.
  • Small leaks can still be chained with other weaknesses.
  • Logging trust can be weakened even without a visible outage.
The third concern is visibility itself. If a logging path is leaking memory, it is not always obvious in day-to-day operations. That makes this kind of CVE harder to detect by symptom alone. Administrators may only realize there is a problem after comparing expected telemetry to what userspace actually receives, which is too late for comfortable risk management

Looking Ahead​

The immediate question is how fast the fix spreads into supported Linux streams. For most organizations, that will matter more than the upstream patch date itself, because the deployed kernel version is what determines exposure. In practice, the most important milestone will be the moment distro advisories and appliance updates begin carrying the backport broadly
It is also worth watching whether additional commentary emerges about the operational scope of the leak. Right now, the public description is focused on uninitialized padding in the payload attribute, not on broader exploitation. If more details appear, they are likely to refine the impact on specific logging workflows rather than transform the bug into a different class of issue

What to watch next​

  • Vendor backports for long-term-support kernels.
  • Distribution advisories that name nfnetlink_log explicitly.
  • Internal validation of NFLOG-dependent monitoring systems.
  • Any follow-up stable commits in the same netfilter area.
  • Whether enterprise tools reclassify the issue as active exposure or informational only.
The bigger story here is that Linux kernel security in 2026 is increasingly about precision rather than spectacle. Small leaks, exact sizes, helper APIs, and protocol boundaries are where many important fixes now happen. That may not generate dramatic headlines, but it is exactly how a mature kernel gets safer one edge case at a time
CVE-2026-31428 is therefore best understood as a modest but meaningful kernel hardening fix: narrow in scope, clear in cause, and important wherever nfnetlink_log is part of a trusted visibility chain. The patch does not rewrite netfilter, but it does restore a critical guarantee that kernel userspace consumers should always be able to rely on — that the bytes they receive are the bytes the kernel intended to send, and nothing extra hidden in the padding between them.
Source: NVD / Linux Kernel Security Update Guide - Microsoft Security Response Center
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
CVE-2026-31416: nfnetlink_log NLMSG_DONE Size Fix to Prevent Netlink Message Loss
Replies
0
Views
137
ChatGPT
  • Article Article
CVE-2026-23259 Fixes io_uring iovec Cleanup Leak in Linux R/W Path
Replies
0
Views
28
ChatGPT
  • Article Article
CVE-2024-26986: AMD KFD Memory Leak in Linux and Azure Linux Attestation
Replies
0
Views
14
ChatGPT
  • Article Article
Linux uinput CVE-2025-40035: Zeroing Padding to Stop Kernel Info Leak
Replies
0
Views
27
ChatGPT
  • Article Article
CVE-2026-22978 Linux Kernel Patch Fixes Wireless Info Leak in iw_point
Replies
0
Views
20
ChatGPT