Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly

In iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner
packet 'newskb' that is being reassembled. First a zero-copy approach is
tried if it succeeds then newskb becomes non-linear.

When a subsequent fragment in the same datagram does not meet the
fast-path conditions, a memory copy is performed. It calls skb_put() to
append the data and as newskb is non-linear it triggers
SKB_LINEAR_ASSERT check.

Oops: invalid opcode: 0000 [#1] SMP NOPTI
[...]
RIP: 0010:skb_put+0x3c/0x40
[...]
Call Trace:
<IRQ>
iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs]
iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs]
iptfs_input+0x122/0x3e0 [xfrm_iptfs]
xfrm_input+0x91e/0x1a50
xfrm4_esp_rcv+0x3a/0x110
ip_protocol_deliver_rcu+0x1d7/0x1f0
ip_local_deliver_finish+0xbe/0x1e0
__netif_receive_skb_core.constprop.0+0xb56/0x1120
__netif_receive_skb_list_core+0x133/0x2b0
netif_receive_skb_list_internal+0x1ff/0x3f0
napi_complete_done+0x81/0x220
virtnet_poll+0x9d6/0x116e [virtio_net]
__napi_poll.constprop.0+0x2b/0x270
net_rx_action+0x162/0x360
handle_softirqs+0xdc/0x510
__irq_exit_rcu+0xe7/0x110
irq_exit_rcu+0xe/0x20
common_interrupt+0x85/0xa0
</IRQ>
<TASK>

Fix this by checking if the skb is non-linear. If it is, linearize it by
calling skb_linearize(). As the initial allocation of newskb originally
reserved enough tailroom for the entire reassembled packet we do not
need to check if we have enough tailroom or extend it.
Published: 2026-04-22
Score: n/a
EPSS: n/a
KEV: No
Impact: Denial of Service (kernel crash)
Action: Immediate Patch
AI Analysis

Impact

The flaw occurs in the Linux kernel’s IPTFS packet reassembly logic when a non‑linear socket buffer is mistakenly appended to with skb_put, triggering the SKB_LINEAR_ASSERT check and causing a kernel panic. A malicious sender can craft fragmented IP packets that exercise this path, forcing the system to reboot or halt, which disrupts availability for that host.

Affected Systems

The vulnerability is present in any Linux kernel that implements the IPTFS feature, and no specific version range is specified in the advisory. All affected systems using the default IPTFS configuration are at risk until the patch is applied.

Risk and Exploitability

No CVSS or EPSS score is provided and the issue is not listed in the CISA KEV catalog, but the crash‑based nature of the flaw gives it high exploitability via network traffic. An attacker can target a host by sending a series of IP fragments that trigger the reassembly path. The only known mitigation is to apply the vendor’s fix or otherwise disable IPTFS processing.

Generated by OpenCVE AI on April 22, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the fix for IPTFS reassembly, using your distribution’s security update channel.
  • If an update cannot be applied immediately, disable IPTFS processing in the kernel configuration or via sysctl to prevent the reassembly code from executing.
  • Restrict or block inbound fragmented IP traffic that would otherwise reach the kernel, and monitor system logs for panics to act swiftly when the issue persists.

Generated by OpenCVE AI on April 22, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly In iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner packet 'newskb' that is being reassembled. First a zero-copy approach is tried if it succeeds then newskb becomes non-linear. When a subsequent fragment in the same datagram does not meet the fast-path conditions, a memory copy is performed. It calls skb_put() to append the data and as newskb is non-linear it triggers SKB_LINEAR_ASSERT check. Oops: invalid opcode: 0000 [#1] SMP NOPTI [...] RIP: 0010:skb_put+0x3c/0x40 [...] Call Trace: <IRQ> iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs] iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs] iptfs_input+0x122/0x3e0 [xfrm_iptfs] xfrm_input+0x91e/0x1a50 xfrm4_esp_rcv+0x3a/0x110 ip_protocol_deliver_rcu+0x1d7/0x1f0 ip_local_deliver_finish+0xbe/0x1e0 __netif_receive_skb_core.constprop.0+0xb56/0x1120 __netif_receive_skb_list_core+0x133/0x2b0 netif_receive_skb_list_internal+0x1ff/0x3f0 napi_complete_done+0x81/0x220 virtnet_poll+0x9d6/0x116e [virtio_net] __napi_poll.constprop.0+0x2b/0x270 net_rx_action+0x162/0x360 handle_softirqs+0xdc/0x510 __irq_exit_rcu+0xe7/0x110 irq_exit_rcu+0xe/0x20 common_interrupt+0x85/0xa0 </IRQ> <TASK> Fix this by checking if the skb is non-linear. If it is, linearize it by calling skb_linearize(). As the initial allocation of newskb originally reserved enough tailroom for the entire reassembled packet we do not need to check if we have enough tailroom or extend it.
Title xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-22T13:54:33.522Z

Reserved: 2026-03-09T15:48:24.108Z

Link: CVE-2026-31517

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-22T14:16:51.273

Modified: 2026-04-22T14:16:51.273

Link: CVE-2026-31517

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31517 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:00:07Z

Weaknesses