CVE-2026-31472 - Vulnerability Details

- xfrm: iptfs: validate inner IPv4 header length in IPTFS payload

Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: validate inner IPv4 header length in IPTFS payload

Add validation of the inner IPv4 packet tot_len and ihl fields parsed
from decrypted IPTFS payloads in __input_process_payload(). A crafted
ESP packet containing an inner IPv4 header with tot_len=0 causes an
infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the
data offset never advances and the while(data < tail) loop never
terminates, spinning forever in softirq context.

Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct
iphdr), which catches both the tot_len=0 case and malformed ihl values.
The normal IP stack performs this validation in ip_rcv_core(), but IPTFS
extracts and processes inner packets before they reach that layer.

Published: 2026-04-22

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Linux kernel’s IPTFS payload handling. A crafted ESP packet carrying an inner IPv4 header with a total length of zero or malformed header length bypasses validation, causing an infinite loop in softirq context. This loop prevents the data offset from advancing, resulting in a never‑terminating while loop that consumes CPU time and stalls packet processing, effectively crashing or disabling the kernel’s networking stack. The weakness is a missing input validation that leads to uncontrolled resource consumption.

Affected Systems

Both Linux kernel distributions are affected, including all versions shipped by Linux:Linux until the patch that adds inner packet length validation is applied. No specific version list is supplied, so all kernels prior to the commit that introduced the validation of tot_len and ihl fields are vulnerable.

Risk and Exploitability

The attack vector is network‑based; an adversary can send crafted ESP packets from outside or inside the network to trigger the infinite loop. EPSS data are not available, and the vulnerability is not listed in CISA’s KEV catalog, but the denial of service impact combined with the ability to trigger it remotely indicates a high risk. The lack of hardening in the kernel’s packet processing path means the exploit requires no special privileges and can be executed from any source that can reach the vulnerable host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`6c82d2433671819a550227bf65bfb6043e3d3305`	affected	< de6d8e8ce5187f7402c9859b443355e7120c5f09
`6c82d2433671819a550227bf65bfb6043e3d3305`	affected	< 3db7d4f777a00164582061ccaa99569cd85011a3
`6c82d2433671819a550227bf65bfb6043e3d3305`	affected	< 0d10393d5eac33cbd92f7a41fddca12c41d3cb7e

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6c82d2433671819a550227bf65bfb6043e3d3305,de6d8e8ce5187f7402c9859b443355e7120c5f09)`	affected	code_commit	—
`[6c82d2433671819a550227bf65bfb6043e3d3305,3db7d4f777a00164582061ccaa99569cd85011a3)`	affected	code_commit	—
`[6c82d2433671819a550227bf65bfb6043e3d3305,0d10393d5eac33cbd92f7a41fddca12c41d3cb7e)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.14`	affected	semver	—
`[0,6.14)`	unaffected	semver	—
`[6.18.21,6.19.0)`	unaffected	semver	—
`[6.19.11,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor’s kernel patch that introduces validation of the inner IPv4 header tot_len and ihl fields in __input_process_payload().
If the patch cannot be applied immediately, block or drop suspicious ESP packets at the network perimeter using firewall rules or by disabling IPTFS if it is not required for your environment.
After applying the patch, monitor system performance and softirq statistics for any residual abnormal behavior caused by packet processing loops.

Generated by OpenCVE AI on April 22, 2026 at 18:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0d10393d5eac33cbd92f7a41fddca12c41d3cb7e
https://git.kernel.org/stable/c/3db7d4f777a00164582061ccaa99569cd85011a3
https://git.kernel.org/stable/c/de6d8e8ce5187f7402c9859b443355e7120c5f09
https://lore.kernel.org/linux-cve-announce/2026042255-CVE-2026-31472-396d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31472
https://www.cve.org/CVERecord?id=CVE-2026-31472

History

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-606
References		https://lore.kernel.org/linux-cve-announce/2026042255-CVE-2026-31472-396d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31472 https://www.cve.org/CVERecord?id=CVE-2026-31472

Wed, 22 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: validate inner IPv4 header length in IPTFS payload Add validation of the inner IPv4 packet tot_len and ihl fields parsed from decrypted IPTFS payloads in __input_process_payload(). A crafted ESP packet containing an inner IPv4 header with tot_len=0 causes an infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the data offset never advances and the while(data < tail) loop never terminates, spinning forever in softirq context. Reject inner IPv4 packets where tot_len < ihl4 or ihl4 < sizeof(struct iphdr), which catches both the tot_len=0 case and malformed ihl values. The normal IP stack performs this validation in ip_rcv_core(), but IPTFS extracts and processes inner packets before they reach that layer.
Title		xfrm: iptfs: validate inner IPv4 header length in IPTFS payload
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0d10393d5eac33cbd92f7a41fddca12c41d3cb7e https://git.kernel.org/stable/c/3db7d4f777a00164582061ccaa99569cd85011a3 https://git.kernel.org/stable/c/de6d8e8ce5187f7402c9859b443355e7120c5f09

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:54:00.281Z

Updated: 2026-04-22T13:54:00.281Z

Reserved: 2026-03-09T15:48:24.098Z

Link: CVE-2026-31472

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:16:43.740

Modified: 2026-04-23T16:17:41.280

Link: CVE-2026-31472

Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31472 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T19:00:08Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object