Skip to main content

Linux Kernel CVE-2026-31517

| EUVDEUVD-2026-24901 MEDIUM
Memory Leak (CWE-401)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-759f-2cpp-x5g6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 16:37 vuln.today
CVSS changed
Apr 28, 2026 - 16:37 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 16:35 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24901
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly

In iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner packet 'newskb' that is being reassembled. First a zero-copy approach is tried if it succeeds then newskb becomes non-linear.

When a subsequent fragment in the same datagram does not meet the fast-path conditions, a memory copy is performed. It calls skb_put() to append the data and as newskb is non-linear it triggers SKB_LINEAR_ASSERT check.

Oops: invalid opcode: 0000 [#1] SMP NOPTI [...] RIP: 0010:skb_put+0x3c/0x40 [...] Call Trace: <IRQ> iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs] iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs] iptfs_input+0x122/0x3e0 [xfrm_iptfs] xfrm_input+0x91e/0x1a50 xfrm4_esp_rcv+0x3a/0x110 ip_protocol_deliver_rcu+0x1d7/0x1f0 ip_local_deliver_finish+0xbe/0x1e0 __netif_receive_skb_core.constprop.0+0xb56/0x1120 __netif_receive_skb_list_core+0x133/0x2b0 netif_receive_skb_list_internal+0x1ff/0x3f0 napi_complete_done+0x81/0x220 virtnet_poll+0x9d6/0x116e [virtio_net] __napi_poll.constprop.0+0x2b/0x270 net_rx_action+0x162/0x360 handle_softirqs+0xdc/0x510 __irq_exit_rcu+0xe7/0x110 irq_exit_rcu+0xe/0x20 common_interrupt+0x85/0xa0 </IRQ> <TASK>

Fix this by checking if the skb is non-linear. If it is, linearize it by calling skb_linearize(). As the initial allocation of newskb originally reserved enough tailroom for the entire reassembled packet we do not need to check if we have enough tailroom or extend it.

AnalysisAI

Denial of service via kernel panic in the Linux kernel xfrm_iptfs module when processing fragmented IP-TFS packets with mixed fast-path and slow-path reassembly conditions. The vulnerability triggers an invalid memory access (SKB_LINEAR_ASSERT) in skb_put() when attempting to append data to a non-linear socket buffer during packet reassembly, affecting systems using IP-TFS encapsulation over IPsec. Local attackers with network access to send crafted IPsec packets can crash the kernel; active exploitation not confirmed but patch is available.

Technical ContextAI

The vulnerability exists in the Linux kernel's xfrm_iptfs module, which implements IP-TFS (IP Traffic Flow Security) as defined in RFC 9329 for IPsec encapsulation. The xfrm subsystem handles IPsec transformations and packet processing in the kernel networking stack. During IP-TFS packet reassembly, the iptfs_reassem_cont() function uses a zero-copy technique to attach packet fragments as non-linear regions (via skb_attach_data()) into the reassembly buffer for efficiency. However, the code later assumes the buffer remains linear when calling skb_put() to append subsequent fragments via the slow path. The skb_put() function includes a SKB_LINEAR_ASSERT check that triggers an invalid opcode exception (panic) if the socket buffer has been made non-linear. The root cause is CWE-401 (improper resource release), where the function fails to linearize the socket buffer before attempting linear memory operations on data that may have been made non-linear by prior operations.

RemediationAI

Upgrade the Linux kernel to a patched version containing commit 0b352f83cabfefdaafa806d6471f0eca117dc7d5 (available in 6.18.21 stable, 6.19.11 stable, and 7.0 releases) or later. For long-term support kernels, check with your distribution vendor for backported patches. The fix adds a skb_linearize() call in iptfs_reassem_cont() when the reassembly buffer is non-linear, ensuring safe memory operations before calling skb_put(). As an interim mitigation on systems unable to immediately patch, disable IP-TFS usage by not configuring xfrm policies with the iptfs mode, or restrict IPsec packet ingress via firewall rules to trusted sources only. Note that disabling IP-TFS eliminates the confidentiality benefits of traffic flow security, so patching is the preferred long-term solution. See Linux kernel git commits at https://git.kernel.org/stable/c/0b352f83cabfefdaafa806d6471f0eca117dc7d5, https://git.kernel.org/stable/c/33a7b36268933c75bdc355e5531951e0ea9f1951, and https://git.kernel.org/stable/c/7fdfe8f6efeb0e1200e22a903f2471539f54522b for the upstream fix and advisory details at https://nvd.nist.gov/vuln/detail/CVE-2026-31517.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31517 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy