CVE-2026-31471 - Vulnerability Details

- xfrm: iptfs: only publish mode_data after clone setup

Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: only publish mode_data after clone setup

iptfs_clone_state() stores x->mode_data before allocating the reorder
window. If that allocation fails, the code frees the cloned state and
returns -ENOMEM, leaving x->mode_data pointing at freed memory.

The xfrm clone unwind later runs destroy_state() through x->mode_data,
so the failed clone path tears down IPTFS state that clone_state()
already freed.

Keep the cloned IPTFS state private until all allocations succeed so
failed clones leave x->mode_data unset. The destroy path already
handles a NULL mode_data pointer.

Published: 2026-04-22

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel a failure to allocate an IPTFS reorder window leaves the mode_data pointer pointing to freed memory; subsequent teardown routines use this dangling pointer, creating a use‑after‑free condition. This bug can corrupt kernel state, potentially allowing privilege escalation or untrusted code execution, and can also cause the kernel to crash, resulting in a denial of service.

Affected Systems

The vulnerability is present in all kernel builds that contain the buggy xfrm:iptfs clone logic, and no specific version range is provided; any Linux system running a kernel prior to the patch that introduced the fix is affected. Users should check that their kernel contains commit 371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1 or later.

Risk and Exploitability

The CVSS score is not disclosed, and the EPSS value is unavailable, but the bug involves kernel‑level memory corruption with local–realm exploitation potential. Because the vulnerability is a classic use‑after‑free (CWE‑416) that can crash or compromise a privileged process, its likelihood of exploitation is significant in environments with active IPsec/second‑level tunneling. It is not yet catalogued in CISA KEV, but it should be treated as a high‑risk kernel flaw until fully mitigated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`6be02e3e4f376fea468846c8562655ca5ee18204`	affected	< 371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1
`6be02e3e4f376fea468846c8562655ca5ee18204`	affected	< 5784a1e2889c9525a8f036cb586930e232170bf7
`6be02e3e4f376fea468846c8562655ca5ee18204`	affected	< d849a2f7309fc0616e79d13b008b0a47e0458b6e

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6be02e3e4f376fea468846c8562655ca5ee18204,371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1)`	affected	code_commit	—
`[6be02e3e4f376fea468846c8562655ca5ee18204,5784a1e2889c9525a8f036cb586930e232170bf7)`	affected	code_commit	—
`[6be02e3e4f376fea468846c8562655ca5ee18204,d849a2f7309fc0616e79d13b008b0a47e0458b6e)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.14`	affected	semver	—
`[0,6.14)`	unaffected	generic	—
`[6.18.21,6.19.0)`	unaffected	semver	—
`[6.19.11,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that includes the commit that fixes the xfrm:iptfs clone logic
If IPTFS or IPsec is not required, disable these features or restrict their use through configuration or network policy
Enable kernel auditing and monitor system logs for IPsec‑related crashes or panics to detect exploitation attempts

Generated by OpenCVE AI on April 22, 2026 at 18:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1
https://git.kernel.org/stable/c/5784a1e2889c9525a8f036cb586930e232170bf7
https://git.kernel.org/stable/c/d849a2f7309fc0616e79d13b008b0a47e0458b6e
https://lore.kernel.org/linux-cve-announce/2026042254-CVE-2026-31471-d8ba@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31471
https://www.cve.org/CVERecord?id=CVE-2026-31471

History

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1341
References		https://lore.kernel.org/linux-cve-announce/2026042254-CVE-2026-31471-d8ba@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31471 https://www.cve.org/CVERecord?id=CVE-2026-31471

Wed, 22 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: only publish mode_data after clone setup iptfs_clone_state() stores x->mode_data before allocating the reorder window. If that allocation fails, the code frees the cloned state and returns -ENOMEM, leaving x->mode_data pointing at freed memory. The xfrm clone unwind later runs destroy_state() through x->mode_data, so the failed clone path tears down IPTFS state that clone_state() already freed. Keep the cloned IPTFS state private until all allocations succeed so failed clones leave x->mode_data unset. The destroy path already handles a NULL mode_data pointer.
Title		xfrm: iptfs: only publish mode_data after clone setup
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1 https://git.kernel.org/stable/c/5784a1e2889c9525a8f036cb586930e232170bf7 https://git.kernel.org/stable/c/d849a2f7309fc0616e79d13b008b0a47e0458b6e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:53:59.595Z

Updated: 2026-04-22T13:53:59.595Z

Reserved: 2026-03-09T15:48:24.098Z

Link: CVE-2026-31471

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-22T14:16:43.610

Modified: 2026-04-22T14:16:43.610

Link: CVE-2026-31471

Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31471 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T19:00:08Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object