Skip to main content

Linux Kernel EUVDEUVD-2026-27590

| CVE-2026-43090 MEDIUM
2026-05-06 Linux GHSA-98cq-cjv3-cjrc
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 19, 2026 - 23:01 vuln.today
CVSS changed
May 19, 2026 - 20:52 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 11:31 EUVD

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfrm: fix refcount leak in xfrm_migrate_policy_find

syzkaller reported a memory leak in xfrm_policy_alloc:

BUG: memory leak unreferenced object 0xffff888114d79000 (size 1024): comm "syz.1.17", pid 931 ... xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432

The root cause is a double call to xfrm_pol_hold_rcu() in xfrm_migrate_policy_find(). The lookup function already returns a policy with held reference, making the second call redundant.

Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount imbalance and prevent the memory leak.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

AnalysisAI

Reference count leak in the Linux kernel's xfrm IPsec subsystem allows a local low-privileged attacker to exhaust kernel memory, resulting in denial of service. The defect resides in xfrm_migrate_policy_find(), where xfrm_pol_hold_rcu() is called twice - once implicitly by the lookup path (which already returns a held reference) and once redundantly - creating a refcount imbalance that prevents memory reclamation. Discovered by the Linux Verification Center using Syzkaller fuzzing; no public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), indicating minimal observed exploitation activity.

Technical ContextAI

The xfrm subsystem (net/xfrm/) is the Linux kernel's IPsec transform and policy framework, responsible for managing security associations and policies for encrypted tunnels. The vulnerable function xfrm_migrate_policy_find() is invoked during IPsec policy migration operations. The bug is a classic reference counting error: the internal lookup already increments the object's reference counter via RCU (Read-Copy-Update) before returning, but the calling code in xfrm_migrate_policy_find() calls xfrm_pol_hold_rcu() a second time on the same object, resulting in a net refcount of +2 on each invocation. Because the matching xfrm_pol_put() is only called once, the kernel never frees the xfrm_policy object, constituting a persistent memory leak. CPE data identifies the affected product as cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*, covering a range of kernel versions beginning from commit 563d5ca93e883b9dcb4b7dc8967ac569fd91820d. No CWE is formally assigned, but the root cause class maps to CWE-401 (Missing Release of Memory after Effective Lifetime) combined with improper reference count management.

RemediationAI

The primary fix is to upgrade the Linux kernel to a patched version: 6.12.83, 6.18.24, 6.19.14, or 7.0. The upstream fix removes the redundant xfrm_pol_hold_rcu() call from xfrm_migrate_policy_find(), and stable-tree patches are available at https://git.kernel.org/stable/c/21e235a36cfb6d145cefb10728f12f5dc5412f54, https://git.kernel.org/stable/c/836ee1b0426ea3db31531e9581cc32f513d24e32, https://git.kernel.org/stable/c/70c2a89a3bc207c3bfbf6f21bb439809e0a4a27a, and https://git.kernel.org/stable/c/83317cce60a032c49480dcdabe146435bd689d03. Distribution-specific backports should be checked via the respective vendor security tracker. As a compensating control where patching is not immediately possible, administrators can restrict unprivileged access to xfrm/IPsec policy migration via Linux capabilities (CAP_NET_ADMIN is typically required for xfrm_migrate operations); tightening this to only authorized processes or service accounts prevents unprivileged local users from triggering the code path. Note that disabling xfrm migration entirely may impact IPsec mobility scenarios (e.g., IKEv2 MOBIKE). No confidentiality or integrity workaround is needed given the availability-only impact.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27590 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy