Skip to main content

Linux Kernel EUVDEUVD-2026-24821

| CVE-2026-31471 HIGH
Double Free (CWE-415)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:31 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24821
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: only publish mode_data after clone setup

iptfs_clone_state() stores x->mode_data before allocating the reorder window. If that allocation fails, the code frees the cloned state and returns -ENOMEM, leaving x->mode_data pointing at freed memory.

The xfrm clone unwind later runs destroy_state() through x->mode_data, so the failed clone path tears down IPTFS state that clone_state() already freed.

Keep the cloned IPTFS state private until all allocations succeed so failed clones leave x->mode_data unset. The destroy path already handles a NULL mode_data pointer.

AnalysisAI

Use-after-free in Linux kernel XFRM IPTFS subsystem allows local authenticated attackers to trigger high-severity memory corruption through failed state cloning operations. The vulnerability stems from premature publication of mode_data pointer before allocation completion, enabling arbitrary code execution, privilege escalation, or denial of service when IPsec IP-TFS (IP Traffic Flow Security) mode cloning fails. Vendor patches available for kernel versions 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating, likely due to the specific IPTFS configuration prerequisite and local access requirement.

Technical ContextAI

This vulnerability affects the XFRM (Transform) framework's IP-TFS implementation in the Linux kernel network stack. XFRM provides the kernel-level infrastructure for IPsec transformations. IP-TFS (IP Traffic Flow Security, RFC 9347) is a tunnel mode that provides enhanced traffic flow confidentiality by padding and aggregating packets. The flaw occurs in iptfs_clone_state() during the cloning of XFRM state objects when establishing new Security Associations. The function prematurely assigns the cloned state pointer to x->mode_data before completing memory allocation for the reorder window buffer. If kmalloc() fails during reorder window allocation, the error path invokes kfree() on the cloned state but leaves the dangling pointer in x->mode_data. Subsequently, the XFRM subsystem's generic cleanup code calls destroy_state() using the now-invalid pointer, resulting in a classic use-after-free condition. The affected code path exists from commit 6be02e3e4f37 onwards and impacts kernel versions 6.14 through 6.19.x and early 7.0 releases.

RemediationAI

Immediately upgrade to patched Linux kernel versions: 6.18.21 or later for 6.18.x series, 6.19.11 or later for 6.19.x series, or stable 7.0 release. Patch commits available at https://git.kernel.org/stable/c/371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1 (mainline fix) and stable branch fixes at https://git.kernel.org/stable/c/5784a1e2889c9525a8f036cb586930e232170bf7 and https://git.kernel.org/stable/c/d849a2f7309fc0616e79d13b008b0a47e0458b6e. For systems that cannot immediately patch, disable IP-TFS IPsec tunnel mode configurations as a temporary workaround by removing iptfs-mode directives from IPsec policy configurations (typically in /etc/ipsec.conf or strongSwan configurations). This eliminates the vulnerable code path entirely but breaks IP-TFS tunnel functionality, so traditional ESP tunnel mode must be used instead, which reduces traffic flow confidentiality protections. Standard ESP tunnel mode provides adequate confidentiality for most use cases but lacks IP-TFS padding/aggregation features. Verify no IP-TFS tunnels are active using 'ip xfrm state list' before and after configuration changes. Organizations requiring IP-TFS features must prioritize kernel patching over workarounds.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24821 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy