Description
In the Linux kernel, the following vulnerability has been resolved:

esp: fix skb leak with espintcp and async crypto

When the TX queue for espintcp is full, esp_output_tail_tcp will
return an error and not free the skb, because with synchronous crypto,
the common xfrm output code will drop the packet for us.

With async crypto (esp_output_done), we need to drop the skb when
esp_output_tail_tcp returns an error.
Published: 2026-04-22
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Denial of Service via Memory Leak
Action: Apply Patch
AI Analysis

Impact

Based on the description, this bug involves the Linux kernel's ESP over TCP (espintcp) module. When the transmit queue reaches capacity, esp_output_tail_tcp returns an error but fails to free the associated socket buffer (skb). With synchronous crypto, the subsequent common xfrm output drop handles the cleanup, but with asynchronous crypto (esp_output_done) the skb is never freed. The resulting leak accumulates unreferenced skbs in memory. Over time, unbounded accumulation can exhaust kernel memory, destabilizing the system. The weakness maps to CWE-401 (Memory Leak) and CWE-772. A remote attacker could trigger a denial‑of‑service by repeatedly sending ESP‑over‑TCP packets to fill the queue, causing the skb leak to accumulate and eventually exhaust kernel memory.

Affected Systems

Based on the description, the flaw exists in Linux kernel code that implements ESP over TCP. All Linux distributions packaging unpatched kernels are potentially affected; the advisory does not specify a precise kernel version range. Any system running the unpatched kernel build that handles IPsec over TCP and uses asynchronous crypto code is susceptible. The vulnerability affects the kernel itself rather than user‑space applications.

Risk and Exploitability

Because the EPSS score is < 1% and the CVE is not listed in the CISA KEV catalog, no large‑scale exploitation has been observed yet. The CVSS score of 5.5 indicates a medium severity. Based on the description, the attack vector is likely remote traffic targeting the ESP‑over‑TCP path, which can trigger the skb leak.

Generated by OpenCVE AI on April 29, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the espintcp skb leak fix (e.g., apply the latest kernel patch series from the vendor).
  • If immediate kernel upgrade is not possible, restrict or disable ESP over TCP traffic, or enforce strict rate limiting on incoming ESP packets.
  • Monitor kernel memory consumption and the number of skbs in the network stack; investigate and alert if unexpected growth is observed.

Generated by OpenCVE AI on April 29, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 29 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-459

Tue, 28 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-459

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: esp: fix skb leak with espintcp and async crypto When the TX queue for espintcp is full, esp_output_tail_tcp will return an error and not free the skb, because with synchronous crypto, the common xfrm output code will drop the packet for us. With async crypto (esp_output_done), we need to drop the skb when esp_output_tail_tcp returns an error.
Title esp: fix skb leak with espintcp and async crypto
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:10:20.804Z

Reserved: 2026-03-09T15:48:24.108Z

Link: CVE-2026-31518

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:51.410

Modified: 2026-04-28T17:25:54.393

Link: CVE-2026-31518

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31518 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:30:07Z

Weaknesses