Skip to main content

Linux Kernel CVE-2026-43107

| EUVDEUVD-2026-27624 MEDIUM
Incorrect Calculation of Buffer Size (CWE-131)
2026-05-06 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 11, 2026 - 17:37 vuln.today
CVSS changed
May 11, 2026 - 17:37 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfrm: account XFRMA_IF_ID in aevent size calculation

xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is set.

xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0) in xfrm_get_ae(), turning a malformed netlink interaction into a kernel panic.

Account XFRMA_IF_ID in the size calculation unconditionally and replace the BUG_ON with normal error unwinding.

AnalysisAI

Denial of service in Linux kernel xfrm (IPsec transform) subsystem allows local authenticated attackers to trigger a kernel panic via improper netlink message size calculation when handling XFRM_MSG_GETAE requests for states with interface ID set. The xfrm_aevent_msgsize() function fails to account for XFRMA_IF_ID attribute space, causing build_aevent() to exceed buffer bounds and hit a BUG_ON assertion, resulting in kernel crash. EPSS exploitation probability is very low at 0.02% despite the local attack vector, suggesting limited real-world impact.

Technical ContextAI

The Linux kernel's xfrm subsystem manages IPsec security associations and transforms. The vulnerability occurs in the netlink message handling path where xfrm_get_ae() requests acquire/expire event (AE) statistics for a transform state. The function allocates a reply socket buffer using xfrm_aevent_msgsize() to determine required space, then build_aevent() populates the message with attributes. When an xfrm state has an interface identifier (if_id field), build_aevent() appends the XFRMA_IF_ID attribute. The root cause is improper bounds checking (CWE-131: Incorrect Buffer Size Calculation) - xfrm_aevent_msgsize() does not include space for this optional attribute, causing buffer overflow conditions. The code path is triggered only through netlink XFRM_MSG_GETAE messages, a privileged operation requiring CAP_NET_ADMIN equivalent or local user privileges.

RemediationAI

Apply the stable kernel fix patches: Linux 6.12.83 or later, 6.18.24 or later, or 6.19.14 or later depending on your kernel branch. The upstream fix (commit 2c41283d94af943a05f7f2cc1a01f0c872f3cf43 and related commits per https://git.kernel.org/stable/c/2c41283d94af943a05f7f2cc1a01f0c872f3cf43) corrects xfrm_aevent_msgsize() to include XFRMA_IF_ID in buffer calculations and replaces the BUG_ON() with proper error handling. For systems unable to update immediately, restrict unprivileged access to xfrm configuration through iptables/netfilter rules or disable xfrm IPsec support if not required; however, the second option eliminates IPsec functionality entirely and may be impractical for VPN deployments. Verify your kernel's xfrm configuration by checking if XFRM_STATISTICS is enabled and whether if_id-tagged states are in use before deferring patching.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43107 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy