5.5

CVE-2026-31427

netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp

process_sdp() declares union nf_inet_addr rtp_addr on the stack and
passes it to the nf_nat_sip sdp_session hook after walking the SDP
media descriptions. However rtp_addr is only initialized inside the
media loop when a recognized media type with a non-zero port is found.

If the SDP body contains no m= lines, only inactive media sections
(m=audio 0 ...) or only unrecognized media types, rtp_addr is never
assigned. Despite that, the function still calls hooks->sdp_session()
with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack
value as an IP address and rewrite the SDP session owner and connection
lines with it.

With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this
results in the session-level o= and c= addresses being rewritten to
0.0.0.0 for inactive SDP sessions. Without stack auto-init the
rewritten address is whatever happened to be on the stack.

Fix this by pre-initializing rtp_addr from the session-level connection
address (caddr) when available, and tracking via a have_rtp_addr flag
whether any valid address was established. Skip the sdp_session hook
entirely when no valid address exists.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.26 < 5.10.253
LinuxLinux Kernel Version >= 5.11 < 5.15.203
LinuxLinux Kernel Version >= 5.16 < 6.1.168
LinuxLinux Kernel Version >= 6.2 < 6.6.131
LinuxLinux Kernel Version >= 6.7 < 6.12.80
LinuxLinux Kernel Version >= 6.13 < 6.18.21
LinuxLinux Kernel Version >= 6.19 < 6.19.11
LinuxLinux Kernel Version7.0 Updaterc1
LinuxLinux Kernel Version7.0 Updaterc2
LinuxLinux Kernel Version7.0 Updaterc3
LinuxLinux Kernel Version7.0 Updaterc4
LinuxLinux Kernel Version7.0 Updaterc5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.018
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-908 Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

https://git.kernel.org/stable/c/6e5e3c87b7e6212f1d8414fc2e4d158b01e12025
Patch
https://git.kernel.org/stable/c/fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6
Patch
https://git.kernel.org/stable/c/7edca70751b9bdb5b83eed53cde21eccf3c86147
Patch
https://git.kernel.org/stable/c/01f34a80ac23ae90b1909b94b4ed05343a62f646
Patch
https://git.kernel.org/stable/c/52fdda318ef2362fc5936385bcb8b3d0328ee629
Patch
https://git.kernel.org/stable/c/6a2b724460cb67caed500c508c2ae5cf012e4db4
Patch
https://git.kernel.org/stable/c/82baeb871e8f04906bc886273fdf0209e1754eb3
Patch
https://git.kernel.org/stable/c/faa6ea32797a1847790514ff0da1be1d09771580
Patch