Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: validate inner IPv4 header length in IPTFS payload

Add validation of the inner IPv4 packet tot_len and ihl fields parsed
from decrypted IPTFS payloads in __input_process_payload(). A crafted
ESP packet containing an inner IPv4 header with tot_len=0 causes an
infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the
data offset never advances and the while(data < tail) loop never
terminates, spinning forever in softirq context.

Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct
iphdr), which catches both the tot_len=0 case and malformed ihl values.
The normal IP stack performs this validation in ip_rcv_core(), but IPTFS
extracts and processes inner packets before they reach that layer.
Published: 2026-04-22
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The Linux kernel’s IPTFS payload handling contains missing validation of inner IPv4 packet fields parsed from decrypted ESP payloads. An attacker can craft an ESP packet that contains an inner IPv4 header with a total length of zero or a malformed header length. This causes the inner packet processor to enter an infinite loop in softirq context because the length checks allow the offset to remain zero and the loop never terminates, consuming CPU and disabling packet processing.

Affected Systems

All Linux kernels that include the IPTFS implementation prior to the commit adding tot_len and ihl validation are affected. This includes every release from the upstream Linux branch until the patch is applied; the CPE list covers kernels 6.14 and all 7.0 release candidates.

Risk and Exploitability

The likely attack vector is inferred from the description: a remote adversary can trigger the denial of service by sending the crafted packet over any interface that processes IPsec traffic. The vulnerability does not require elevated privileges and can be exploited from any network location that can reach the host. The EPSS score is below 1% and the CVE is not in the CISA KEV catalog, but the medium CVSS score of 5.5, combined with the ease of remote trigger, still represents a notable risk to availability.

Generated by OpenCVE AI on April 29, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that introduces validation of the inner IPv4 header tot_len and ihl fields in __input_process_payload().
  • If the patch cannot be applied immediately, block or drop suspicious ESP packets at the perimeter using firewall rules or disable IPTFS if it is not required.
  • After applying the patch, monitor softirq activity and CPU usage for any residual abnormal behavior.

Generated by OpenCVE AI on April 29, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Mon, 27 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
CPEs cpe:2.3:o:linux:linux_kernel:6.14:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: validate inner IPv4 header length in IPTFS payload Add validation of the inner IPv4 packet tot_len and ihl fields parsed from decrypted IPTFS payloads in __input_process_payload(). A crafted ESP packet containing an inner IPv4 header with tot_len=0 causes an infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the data offset never advances and the while(data < tail) loop never terminates, spinning forever in softirq context. Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct iphdr), which catches both the tot_len=0 case and malformed ihl values. The normal IP stack performs this validation in ip_rcv_core(), but IPTFS extracts and processes inner packets before they reach that layer.
Title xfrm: iptfs: validate inner IPv4 header length in IPTFS payload
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:23.766Z

Reserved: 2026-03-09T15:48:24.098Z

Link: CVE-2026-31472

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:43.740

Modified: 2026-04-27T23:28:23.840

Link: CVE-2026-31472

cve-icon Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31472 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:00:27Z

Weaknesses