Skip to main content

Linux Kernel CVE-2026-31472

| EUVDEUVD-2026-24823 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-j49f-wwvq-pvp4
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 02:00 vuln.today
CVSS changed
Apr 27, 2026 - 23:37 NVD
5.5 (MEDIUM)
Patch released
Apr 27, 2026 - 23:28 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24823
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: validate inner IPv4 header length in IPTFS payload

Add validation of the inner IPv4 packet tot_len and ihl fields parsed from decrypted IPTFS payloads in __input_process_payload(). A crafted ESP packet containing an inner IPv4 header with tot_len=0 causes an infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the data offset never advances and the while(data < tail) loop never terminates, spinning forever in softirq context.

Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct iphdr), which catches both the tot_len=0 case and malformed ihl values. The normal IP stack performs this validation in ip_rcv_core(), but IPTFS extracts and processes inner packets before they reach that layer.

AnalysisAI

Denial of service in Linux kernel IPTFS (IP Traffic Flow Security) subsystem allows local authenticated attackers to trigger an infinite loop via crafted ESP packets with malformed inner IPv4 headers containing tot_len=0. The vulnerability bypasses input validation in __input_process_payload() that should reject IPv4 packets where tot_len is less than the header length, causing the kernel to spin indefinitely in softirq context and hang the system.

Technical ContextAI

IPTFS (IP Traffic Flow Security) is an IPsec protocol extension that aggregates multiple IP packets into ESP (Encapsulating Security Payload) encrypted frames. The vulnerability exists in the Linux kernel's xfrm (transform) subsystem, specifically in the __input_process_payload() function which decrypts and parses inner IP packets from IPTFS payloads. The function fails to validate the IPv4 header fields (tot_len and ihl) before processing, mirroring validation that normally occurs in ip_rcv_core() but is bypassed because IPTFS processes packets before they reach the standard IP stack. CWE-835 (Infinite Loop) is triggered when tot_len=0 causes capturelen to remain 0, preventing the data offset pointer from advancing through the while(data < tail) loop.

RemediationAI

Apply kernel patches from stable branches: Linux 6.18.21 or later, Linux 6.19.11 or later, or Linux 7.0 final release. The fix is commit 0d10393d5eac33cbd92f7a41fddca12c41d3cb7e (also available in commits 3db7d4f777a00164582061ccaa99569cd85011a3 and de6d8e8ce5187f7402c9859b443355e7120c5f09 for backports), which adds explicit validation in __input_process_payload() rejecting IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct iphdr). For systems unable to update immediately, disable IPTFS support by removing CONFIG_XFRM_IPTFS from kernel configuration if not actively required, or restrict ESP protocol access via iptables/firewall rules to trusted peers only - this impacts IPsec functionality and should be validated against operational requirements. Systems using standard IPsec without IPTFS aggregation mode are not affected.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31472 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy