CWE-908
AllowedUse of Uninitialized Resource
Abstraction: Base · Status: Incomplete
The product uses or accesses a resource that has not been initialized.
821 vulnerabilities reference this CWE, most recent first.
GHSA-W497-WQWX-V847
Vulnerability from github – Published: 2025-10-15 15:30 – Updated: 2025-11-26 21:31A flaw was found in Samba, in the vfs_streams_xattr module, where uninitialized heap memory could be written into alternate data streams. This allows an authenticated user to read residual memory content that may include sensitive data, resulting in an information disclosure vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-9640"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-15T13:16:01Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Samba, in the vfs_streams_xattr module, where uninitialized heap memory could be written into alternate data streams. This allows an authenticated user to read residual memory content that may include sensitive data, resulting in an information disclosure vulnerability.",
"id": "GHSA-w497-wqwx-v847",
"modified": "2025-11-26T21:31:25Z",
"published": "2025-10-15T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9640"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-9640"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391698"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/11/msg00027.html"
},
{
"type": "WEB",
"url": "https://www.samba.org/samba/history/security.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/10/15/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/10/16/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W5CR-FRPH-HW7F
Vulnerability from github – Published: 2021-08-25 21:01 – Updated: 2021-05-25 20:52An issue was discovered in the rkyv crate before 0.6.0 for Rust. When an archive is created via serialization, the archive content may contain uninitialized values of certain parts of a struct.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "rkyv"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-31919"
],
"database_specific": {
"cwe_ids": [
"CWE-772",
"CWE-908"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-25T20:52:53Z",
"nvd_published_at": "2021-04-30T03:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the rkyv crate before 0.6.0 for Rust. When an archive is created via serialization, the archive content may contain uninitialized values of certain parts of a struct.",
"id": "GHSA-w5cr-frph-hw7f",
"modified": "2021-05-25T20:52:53Z",
"published": "2021-08-25T21:01:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31919"
},
{
"type": "WEB",
"url": "https://github.com/djkoloski/rkyv/issues/113"
},
{
"type": "WEB",
"url": "https://github.com/djkoloski/rkyv/commit/9c65ae9c2c67dd949b5c3aba9b8eba6da802ab7e"
},
{
"type": "WEB",
"url": "https://github.com/djkoloski/rkyv/commit/f141b560523a20557db6540576d153010bd18712"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0054.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Use of uninitialized buffer in rkyv"
}
GHSA-W5F5-72QQ-HGJ6
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11Adobe Prelude version 10.0 (and earlier) are affected by an uninitialized variable vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2021-36007"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-20T19:15:00Z",
"severity": "LOW"
},
"details": "Adobe Prelude version 10.0 (and earlier) are affected by an uninitialized variable vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-w5f5-72qq-hgj6",
"modified": "2022-05-24T19:11:43Z",
"published": "2022-05-24T19:11:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36007"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/prelude/apsb21-58.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W5JH-VR73-453V
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2026-02-23 18:31A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16929, CVE-2020-16930, CVE-2020-16932.
{
"affected": [],
"aliases": [
"CVE-2020-16931"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-16T23:15:00Z",
"severity": "HIGH"
},
"details": "A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka \u0027Microsoft Excel Remote Code Execution Vulnerability\u0027. This CVE ID is unique from CVE-2020-16929, CVE-2020-16930, CVE-2020-16932.",
"id": "GHSA-w5jh-vr73-453v",
"modified": "2026-02-23T18:31:49Z",
"published": "2022-05-24T17:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16931"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16931"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1255"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W6P3-73R2-4574
Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-04-28 15:30In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: Initialize free_qp completion before using it
In irdma_create_qp, if ib_copy_to_udata fails, it will call irdma_destroy_qp to clean up which will attempt to wait on the free_qp completion, which is not initialized yet. Fix this by initializing the completion before the ib_copy_to_udata call.
{
"affected": [],
"aliases": [
"CVE-2026-31492"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-22T14:16:47Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Initialize free_qp completion before using it\n\nIn irdma_create_qp, if ib_copy_to_udata fails, it will call\nirdma_destroy_qp to clean up which will attempt to wait on\nthe free_qp completion, which is not initialized yet. Fix this\nby initializing the completion before the ib_copy_to_udata call.",
"id": "GHSA-w6p3-73r2-4574",
"modified": "2026-04-28T15:30:47Z",
"published": "2026-04-22T15:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31492"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/11a95521fb93c91e2d4ef9d53dc80ef0a755549b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3cb88c12461b71c7d9c604aa2e6a9a477ecfa147"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ac1da7bd224d406b6f1b84414f0f652ab43b6bd8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/af310407f79d5816fc0ab3638e1588b6193316dd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cd1534c8f4984432382c240f6784408497f5bb0a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f72996834f7bdefc2b95e3eec30447ee195df44e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W6XP-GC2W-28HX
Vulnerability from github – Published: 2024-04-10 18:30 – Updated: 2025-11-04 00:30IBM Security Verify Access Appliance 10.0.0 through 10.0.7 uses uninitialized variables when deploying that could allow a local user to cause a denial of service. IBM X-Force ID: 287318.
{
"affected": [],
"aliases": [
"CVE-2024-31874"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-10T16:15:15Z",
"severity": "MODERATE"
},
"details": "IBM Security Verify Access Appliance 10.0.0 through 10.0.7 uses uninitialized variables when deploying that could allow a local user to cause a denial of service. IBM X-Force ID: 287318.",
"id": "GHSA-w6xp-gc2w-28hx",
"modified": "2025-11-04T00:30:48Z",
"published": "2024-04-10T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31874"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/287318"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7147932"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Nov/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W77R-V3RV-5RCP
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix bpf_xdp_store_bytes proto for read-only arg
While making some maps in Cilium read-only from the BPF side, we noticed that the bpf_xdp_store_bytes proto is incorrect. In particular, the verifier was throwing the following error:
; ret = ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr), &nat->address, 4, 0); 635: (79) r1 = (u64 )(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx() 636: (b4) w2 = 26 ; R2=26 637: (b4) w4 = 4 ; R4=4 638: (b4) w5 = 0 ; R5=0 639: (85) call bpf_xdp_store_bytes#190 write into map forbidden, value_size=6 off=0 size=4
nat comes from a BPF_F_RDONLY_PROG map, so R3 is a PTR_TO_MAP_VALUE. The verifier checks the helper's memory access to R3 in check_mem_size_reg, as it reaches ARG_CONST_SIZE argument. The third argument has expected type ARG_PTR_TO_UNINIT_MEM, which includes the MEM_WRITE flag. The verifier thus checks for a BPF_WRITE access on R3. Given R3 points to a read-only map, the check fails.
Conversely, ARG_PTR_TO_UNINIT_MEM can also lead to the helper reading from uninitialized memory.
This patch simply fixes the expected argument type to match that of bpf_skb_store_bytes.
{
"affected": [],
"aliases": [
"CVE-2026-45886"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:02Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix bpf_xdp_store_bytes proto for read-only arg\n\nWhile making some maps in Cilium read-only from the BPF side, we noticed\nthat the bpf_xdp_store_bytes proto is incorrect. In particular, the\nverifier was throwing the following error:\n\n ; ret = ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr),\n \u0026nat-\u003eaddress, 4, 0);\n 635: (79) r1 = *(u64 *)(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx()\n 636: (b4) w2 = 26 ; R2=26\n 637: (b4) w4 = 4 ; R4=4\n 638: (b4) w5 = 0 ; R5=0\n 639: (85) call bpf_xdp_store_bytes#190\n write into map forbidden, value_size=6 off=0 size=4\n\nnat comes from a BPF_F_RDONLY_PROG map, so R3 is a PTR_TO_MAP_VALUE.\nThe verifier checks the helper\u0027s memory access to R3 in\ncheck_mem_size_reg, as it reaches ARG_CONST_SIZE argument. The third\nargument has expected type ARG_PTR_TO_UNINIT_MEM, which includes the\nMEM_WRITE flag. The verifier thus checks for a BPF_WRITE access on R3.\nGiven R3 points to a read-only map, the check fails.\n\nConversely, ARG_PTR_TO_UNINIT_MEM can also lead to the helper reading\nfrom uninitialized memory.\n\nThis patch simply fixes the expected argument type to match that of\nbpf_skb_store_bytes.",
"id": "GHSA-w77r-v3rv-5rcp",
"modified": "2026-06-25T21:31:20Z",
"published": "2026-05-27T15:33:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45886"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0db169a91381a473b7974021d1c02f8da72c5775"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/57f7f6a0ad04a65c8a7a067b2f56cbbf2aec9e52"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6557f1565d779851c4db9c488c49c05a47a6e72f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d7b87adeb0eb539b9b824b101bb14fb01e41240b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ddc34a1b85505c919026ddc82fafdada9a160b15"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ffb5d1c5e3933b947fc7303ad68bf0c536d0c85e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W7CV-FRW4-84FJ
Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak
When building netlink messages, tc_chain_fill_node() never initializes the tcm_info field of struct tcmsg. Since the allocation is not zeroed, kernel heap memory is leaked to userspace through this 4-byte field.
The fix simply zeroes tcm_info alongside the other fields that are already initialized.
{
"affected": [],
"aliases": [
"CVE-2026-43035"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T15:16:48Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak\n\nWhen building netlink messages, tc_chain_fill_node() never initializes\nthe tcm_info field of struct tcmsg. Since the allocation is not zeroed,\nkernel heap memory is leaked to userspace through this 4-byte field.\n\nThe fix simply zeroes tcm_info alongside the other fields that are\nalready initialized.",
"id": "GHSA-w7cv-frw4-84fj",
"modified": "2026-07-14T15:31:57Z",
"published": "2026-05-01T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43035"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1091b3c174441a52fdbb92e2fe00338f9371a91c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ae5d23f51fb91d7d1140c6f1ba77ab0756054c3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/71a3eda7e850ae844cb8993065f4e410c11a46ce"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/903c3405cfcc7700260e456ab66a5867586c9e69"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/906997ea3766c24fbbf9cc4bf17c047315bbd138"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d6db08484c6cb3d4ad696246f9d288eceba2a078"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e35f5195cd44ff4053fbc5d71ea97681728a0099"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e6e3eb5ee89ac4c163d46429391c889a1bb5e404"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W9QV-V668-Q8RF
Vulnerability from github – Published: 2026-06-03 18:33 – Updated: 2026-06-09 21:32In the Linux kernel, the following vulnerability has been resolved:
clocksource/drivers/timer-sp804: Fix an Oops when read_current_timer is called on ARM32 platforms where the SP804 is not registered as the sched_clock.
On SP804, the delay timer shares the same clkevt instance with sched_clock. On some platforms, when sp804_clocksource_and_sched_clock_init is called with use_sched_clock not set to 1, sched_clkevt is not properly initialized. However, sp804_register_delay_timer is invoked unconditionally, and read_current_timer() subsequently calls sp804_read on an uninitialized sched_clkevt, leading to a kernel Oops when accessing sched_clkevt->value.
Declare a dedicated clkevt instance exclusively for delay timer, instead of sharing the same clkevt with sched_clock. This ensures that read_current_timer continues to work correctly regardless of whether SP804 is selected as the sched_clock.
{
"affected": [],
"aliases": [
"CVE-2026-46257"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-03T18:16:26Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nclocksource/drivers/timer-sp804: Fix an Oops when read_current_timer is called on ARM32 platforms where the SP804 is not registered as the sched_clock.\n\nOn SP804, the delay timer shares the same clkevt instance with\nsched_clock. On some platforms, when\nsp804_clocksource_and_sched_clock_init is called with use_sched_clock\nnot set to 1, sched_clkevt is not properly initialized. However,\nsp804_register_delay_timer is invoked unconditionally, and\nread_current_timer() subsequently calls sp804_read on an uninitialized\nsched_clkevt, leading to a kernel Oops when accessing\nsched_clkevt-\u003evalue.\n\nDeclare a dedicated clkevt instance exclusively for delay timer,\ninstead of sharing the same clkevt with sched_clock. This ensures\nthat read_current_timer continues to work correctly regardless of\nwhether SP804 is selected as the sched_clock.",
"id": "GHSA-w9qv-v668-q8rf",
"modified": "2026-06-09T21:32:21Z",
"published": "2026-06-03T18:33:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46257"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/693b0b594b0f278bafa784984129c0c0f988e352"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/694921a93f3e3621e067afc545cedf6fe3b234a9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W9RR-8FX7-936W
Vulnerability from github – Published: 2026-04-13 15:31 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
process_sdp() declares union nf_inet_addr rtp_addr on the stack and passes it to the nf_nat_sip sdp_session hook after walking the SDP media descriptions. However rtp_addr is only initialized inside the media loop when a recognized media type with a non-zero port is found.
If the SDP body contains no m= lines, only inactive media sections (m=audio 0 ...) or only unrecognized media types, rtp_addr is never assigned. Despite that, the function still calls hooks->sdp_session() with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack value as an IP address and rewrite the SDP session owner and connection lines with it.
With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this results in the session-level o= and c= addresses being rewritten to 0.0.0.0 for inactive SDP sessions. Without stack auto-init the rewritten address is whatever happened to be on the stack.
Fix this by pre-initializing rtp_addr from the session-level connection address (caddr) when available, and tracking via a have_rtp_addr flag whether any valid address was established. Skip the sdp_session hook entirely when no valid address exists.
{
"affected": [],
"aliases": [
"CVE-2026-31427"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-13T14:16:12Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp\n\nprocess_sdp() declares union nf_inet_addr rtp_addr on the stack and\npasses it to the nf_nat_sip sdp_session hook after walking the SDP\nmedia descriptions. However rtp_addr is only initialized inside the\nmedia loop when a recognized media type with a non-zero port is found.\n\nIf the SDP body contains no m= lines, only inactive media sections\n(m=audio 0 ...) or only unrecognized media types, rtp_addr is never\nassigned. Despite that, the function still calls hooks-\u003esdp_session()\nwith \u0026rtp_addr, causing nf_nat_sdp_session() to format the stale stack\nvalue as an IP address and rewrite the SDP session owner and connection\nlines with it.\n\nWith CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this\nresults in the session-level o= and c= addresses being rewritten to\n0.0.0.0 for inactive SDP sessions. Without stack auto-init the\nrewritten address is whatever happened to be on the stack.\n\nFix this by pre-initializing rtp_addr from the session-level connection\naddress (caddr) when available, and tracking via a have_rtp_addr flag\nwhether any valid address was established. Skip the sdp_session hook\nentirely when no valid address exists.",
"id": "GHSA-w9rr-8fx7-936w",
"modified": "2026-07-14T15:31:51Z",
"published": "2026-04-13T15:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31427"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/01f34a80ac23ae90b1909b94b4ed05343a62f646"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/52fdda318ef2362fc5936385bcb8b3d0328ee629"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6a2b724460cb67caed500c508c2ae5cf012e4db4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6e5e3c87b7e6212f1d8414fc2e4d158b01e12025"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7edca70751b9bdb5b83eed53cde21eccf3c86147"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/82baeb871e8f04906bc886273fdf0209e1754eb3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/faa6ea32797a1847790514ff0da1be1d09771580"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile the product with settings that generate warnings about uninitialized variables or data.
No CAPEC attack patterns related to this CWE.