Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: only publish mode_data after clone setup

iptfs_clone_state() stores x->mode_data before allocating the reorder
window. If that allocation fails, the code frees the cloned state and
returns -ENOMEM, leaving x->mode_data pointing at freed memory.

The xfrm clone unwind later runs destroy_state() through x->mode_data,
so the failed clone path tears down IPTFS state that clone_state()
already freed.

Keep the cloned IPTFS state private until all allocations succeed so
failed clones leave x->mode_data unset. The destroy path already
handles a NULL mode_data pointer.
Published: 2026-04-22
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A failure in the IPTFS clone setup path leaves mode_data pointing to freed memory. Later, the destroy_state() routine dereferences this pointer, creating a use‑after‑free condition. The likely attack vector is exploitation through IPsec or related packet processing that triggers the IPTFS allocation, though the description does not explicitly state how the trigger is achieved. Based on the description, it is inferred that an attacker with sufficient control over such traffic could cause kernel memory corruption or a denial‑of‑service event, such as a crash or reboot.

Affected Systems

The flaw exists in all Linux kernel releases that include the buggy xfrm:iptfs clone code prior to the patch commit 371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1. No specific version range is listed, so any kernel image not incorporating that commit or a later fix is potentially vulnerable. System administrators should verify whether their kernel incorporates the commit or later revisions containing the fix.

Risk and Exploitability

The CVSS score is 7.8, which indicates high severity. The EPSS score is less than 1% (0.00013), demonstrating a low but non‑zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Because the flaw is a local kernel use‑after‑free, exploitation requires influencing the IPTFS allocation, typically via IPsec or custom packet traffic, thus the attack vector is local. The impact could range from a kernel crash to potentially privilege escalation if the attacker can execute arbitrary code in the kernel context. Overall, the risk warrants prompt patching.

Generated by OpenCVE AI on May 6, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that includes commit 371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1 or later
  • Disable or restrict IPTFS or IPsec usage if not needed, for example by disabling the IPsec modules or applying firewall rules
  • Enable kernel auditing and monitor system logs for kernel panics or abnormal crashes to detect exploitation attempts

Generated by OpenCVE AI on May 6, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Wed, 29 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1341
References

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: only publish mode_data after clone setup iptfs_clone_state() stores x->mode_data before allocating the reorder window. If that allocation fails, the code frees the cloned state and returns -ENOMEM, leaving x->mode_data pointing at freed memory. The xfrm clone unwind later runs destroy_state() through x->mode_data, so the failed clone path tears down IPTFS state that clone_state() already freed. Keep the cloned IPTFS state private until all allocations succeed so failed clones leave x->mode_data unset. The destroy path already handles a NULL mode_data pointer.
Title xfrm: iptfs: only publish mode_data after clone setup
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:22.643Z

Reserved: 2026-03-09T15:48:24.098Z

Link: CVE-2026-31471

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:43.610

Modified: 2026-05-06T21:37:47.057

Link: CVE-2026-31471

cve-icon Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31471 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:30:16Z

Weaknesses