CVE-2026-31671 | xfrm_user: fix info leak in build_report()

In the Linux kernel, the following vulnerability has been resolved: xfrm_user: fix info leak in build_report() struct xfrm_user_report is a __u8 proto field followed by a struct xfrm_selector which means there is three "empty" bytes of padding, but the padding is never zeroed before copying to userspace. Fix that up by zeroing the structure before setting individual member variables.

Published: 2026-04-24 Last update: 2026-04-27 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Analyzed，CVE State: published

View at NVD, CVE.org, EUVD

Threat Intelligence & Risk Assessment for CVE-2026-31671

EPSS CVSS CWE GHSA Affected OS Tracker

Conclusion & alert: CVE-2026-31671 is rated Low Risk (24.4/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.02%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-31671

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-04-25	—	0.02%	—

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-31671

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.5	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	3.6	[email protected]

Weakness enumeration for CVE-2026-31671

CWE-401 MITRE ↗

GitHub Security Advisory for CVE-2026-31671

GHSA-rv96-q2g6-r95w · Severity: medium — In the Linux kernel, the following vulnerability has been resolved: xfrm_user: fix info leak in...

OS Trackers for CVE-2026-31671

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2026-31671 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6.	https://security-tracker.debian.org/tracker/CVE-2026-31671
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2026-31671
`suse`	medium	—	https://www.suse.com/security/cve/CVE-2026-31671/
`ubuntu`	medium	CVE-2026-31671 medium priority: Ubuntu including 161 source packages (linux, linux-allwinner-5.19, …), 1449 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): DNE 1047, ignored 173, needed 130, released 84, not-affected 10, needs-triage 5.	https://ubuntu.com/security/CVE-2026-31671

Affected software / configurations for CVE-2026-31671

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 2.6.19.1, < 5.10.253	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.11, < 5.15.203	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.16, < 6.1.169	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.2, < 6.6.135	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.7, < 6.12.82	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.13, < 6.18.23	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.19, < 6.19.13	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	2.6.19	cpe:2.3:o:linux:linux_kernel:2.6.19:-::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

References for CVE-2026-31671

URL	Tags
https://git.kernel.org/stable/c/0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9	Patch
https://git.kernel.org/stable/c/0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72	Patch
https://git.kernel.org/stable/c/6c55714c931051cd7f4839c19ce0867179fd22fe	Patch
https://git.kernel.org/stable/c/716c546e88cfe49d841658240e10cb57bc50a2cc	Patch
https://git.kernel.org/stable/c/d10119968d0e1f2b669604baf2a8b5fdb72fa6b4	Patch
https://git.kernel.org/stable/c/d27c02eec529f78055a46a5c9e6c62684382b2d8	Patch
https://git.kernel.org/stable/c/e0c8542c3d097ed4205ded51868195d5d6ddac62	Patch
https://git.kernel.org/stable/c/ff5ee507302303b15859753c3e0d67d38fd12c88	Patch

cvelogic Threat Intelligence