Skip to main content

Linux Kernel CVE-2026-43167

| EUVDEUVD-2026-27728 MEDIUM
2026-05-06 Linux GHSA-2fm8-9qc5-4mqx
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 15:58 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfrm: always flush state and policy upon NETDEV_UNREGISTER event

syzbot is reporting that "struct xfrm_state" refcount is leaking.

unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2 ref_tracker: netdev@ffff888052f24618 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_tracker_alloc include/linux/netdevice.h:4412 [inline] xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316 xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline] xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022 xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550 xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646 __sys_sendmsg+0x16d/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

This is because commit d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") implemented xfrm_dev_unregister() as no-op despite xfrm_dev_state_add() from xfrm_state_construct() acquires a reference to "struct net_device". I guess that that commit expected that NETDEV_DOWN event is fired before NETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add() is called only if (dev->features & NETIF_F_HW_ESP) != 0.

Sabrina Dubroca identified steps to reproduce the same symptoms as below.

echo 0 > /sys/bus/netdevsim/new_device dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/) ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \ spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128 \ offload crypto dev $dev dir out ethtool -K $dev esp-hw-offload off echo 0 > /sys/bus/netdevsim/del_device

Like these steps indicate, the NETIF_F_HW_ESP bit can be cleared after xfrm_dev_state_add() acquired a reference to "struct net_device". Also, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit when acquiring a reference to "struct net_device".

Commit 03891f820c21 ("xfrm: handle NETDEV_UNREGISTER for xfrm device") re-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that commit for unknown reason chose to share xfrm_dev_down() between the NETDEV_DOWN event and the NETDEV_UNREGISTER event. I guess that that commit missed the behavior in the previous paragraph.

Therefore, we need to re-introduce xfrm_dev_unregister() in order to release the reference to "struct net_device" by unconditionally flushing state and policy.

AnalysisAI

Resource leak in Linux kernel xfrm (IPsec) subsystem allows local authenticated users to exhaust kernel memory and trigger denial of service by preventing proper cleanup of IPsec hardware offload device references during network device unregistration. The vulnerability affects XFRM state management when IPsec hardware offloading is configured, particularly when the hardware offload capability (NETIF_F_HW_ESP) is disabled after state creation but before device removal.

Technical ContextAI

The vulnerability exists in the Linux kernel's XFRM (IPsec Transform) subsystem, specifically in the interaction between xfrm_dev_state_add() (which acquires a reference to network devices for hardware offload) and the device unregistration handler. The xfrm_dev_unregister() function was effectively implemented as a no-op despite xfrm_state_construct() acquiring references to 'struct net_device' for IPsec hardware offloading purposes. When NETDEV_UNREGISTER events fire, these references are not properly released because xfrm_dev_down() (shared between NETDEV_DOWN and NETDEV_UNREGISTER) does not unconditionally flush all state and policy. The root cause involves improper assumptions that NETDEV_DOWN would always precede NETDEV_UNREGISTER and that hardware offload capability checks would prevent reference acquisition, but the NETIF_F_HW_ESP feature flag can be cleared after xfrm_dev_state_add() acquires the reference, leaving dangling references.

RemediationAI

Vendor-released patches are available in Linux kernel versions 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. Organizations should upgrade to the first patched version available in their kernel series (e.g., 6.6.128 for the 6.6.x line, or 6.19.6 for mainline). For systems unable to immediately patch, workarounds include: (1) disabling IPsec hardware offloading (ESP HW offload) on network interfaces if not critical for performance, achieved via 'ethtool -K <device> esp-hw-offload off', which prevents the reference acquisition that causes the leak; (2) avoiding dynamic removal/re-add of network devices configured with xfrm hardware offload; (3) restricting local user access to xfrm netlink configuration via access controls on CAP_NET_ADMIN capability. Note that disabling hardware offload may reduce IPsec performance but eliminates the attack surface. Patched kernel commits are available from kernel.org stable git repositories for immediate backporting if needed.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43167 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy