Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Reachable over network via IPsec but only with IPComp enabled and repeated acomp errors (AC:H), unauthenticated (PR:N), and per-error leak yields gradual partial DoS (A:L).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
xfrm: ipcomp: Free destination pages on acomp errors
Move the out_free_req label up by a couple of lines so that the allocated dst SG list gets freed on error as well as success.
AnalysisAI
Memory leak in the Linux kernel's xfrm IPComp (IP Payload Compression) code allows resource exhaustion because the destination scatter-gather page list is not freed when an asynchronous compression (acomp) operation fails. Affecting Linux 6.15 through the fixed stable releases, the flaw lets repeated compression errors progressively consume kernel memory, with CVSS scoring only availability impact (A:H). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target host uses IPsec with IPComp (IP Payload Compression) enabled - the vulnerable code path only runs when xfrm ipcomp processes compressed payloads via the asynchronous acomp crypto API. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent toward LOW real-world priority despite the 7.5 'High' CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can drive IPsec traffic through an IPComp-enabled tunnel sends payloads that repeatedly cause the asynchronous compression backend to fail, leaking destination page allocations on each error. Sustained over time, this exhausts kernel memory and degrades or crashes the host (denial of service). … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 6.18.35, 7.0.12, or 7.1 (or later) - which contain the corrected out_free_req cleanup, per the stable commits at https://git.kernel.org/stable/c/dc6dcba80d72a27ab61831ad3d253316e0c9b9d5, https://git.kernel.org/stable/c/b30aa173c3809f6af4c83a86099be1be19aa48eb, and https://git.kernel.org/stable/c/7dbac7680eb629b3b4dc7e98c34f943b8814c0c8. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify production systems running Linux 6.15 and determine whether IPComp is enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38702
GHSA-jvgr-44j9-74mp