CVE-2026-31518 - Vulnerability Details

- esp: fix skb leak with espintcp and async crypto

Description

In the Linux kernel, the following vulnerability has been resolved:

esp: fix skb leak with espintcp and async crypto

When the TX queue for espintcp is full, esp_output_tail_tcp will
return an error and not free the skb, because with synchronous crypto,
the common xfrm output code will drop the packet for us.

With async crypto (esp_output_done), we need to drop the skb when
esp_output_tail_tcp returns an error.

Published: 2026-04-22

Score: 7.0 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

This bug involves the Linux kernel's ESP over TCP (espintcp) module. When the transmit queue reaches capacity, esp_output_tail_tcp returns an error but fails to free the associated socket buffer (skb). With synchronous crypto, a subsequent common xfrm output drop handles the cleanup, but with asynchronous crypto (esp_output_done) the skb is never freed. The resulting leak accumulates unreferenced skbs in memory. Over time, unbounded accumulation can exhaust kernel memory, destabilizing the system or allowing an attacker to trigger a denial‑of‑service by exhausting resources. The weakness maps to CWE‑459: Resource Leak.

Affected Systems

The flaw exists in the Linux kernel code that implements ESP over TCP. All distributions packaging unpatched Linux kernels are potentially affected; the precise version range is not specified in the advisory. Any system running the old kernel build that handles IPsec over TCP and uses asynchronous crypto code is susceptible. The vulnerability affects the kernel itself rather than user space applications.

Risk and Exploitability

Because EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, the attack surface is not known to be actively exploited. However, the bug can be triggered by sending a high volume of ESP‑encrypted TCP packets that fill the transmit queue. Thus remote attackers who can inject such traffic could drain memory resources over time. While no public exploit is demonstrated, the combination of a resource leak and potential for sustained traffic makes it a medium‑to‑high risk for vulnerable hosts. Administrators should treat this as a potential denial‑of‑service scenario until a patch is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< aca3ad0c262f54a5b5c95dda80a48365997d1224
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< 41aafca57de4a4c026701622bd4648f112a9edcd
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< 4820847e036ff1035b01b69ad68dfc17e7028fe9
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< 6a3ec6efbc4f90e0ccb2e71574f07351f19996f4
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< df6f995358dc1f3c42484f5cfe241d7bd3e1cd15
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< 88d386243ed374ac969dabd3bbc1409a31d81818
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< 6aa9841d917532d0f2d932d1ff2f3a94305aaf47
`e27cca96cd68fa2c6814c90f9a1cfd36bb68c593`	affected	< 0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2

Linux

affected

Version	Status	Constraints
`5.6`	affected	—
`0`	unaffected	< 5.6
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.131`	unaffected	≤ 6.6.*
`6.12.80`	unaffected	≤ 6.12.*
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,aca3ad0c262f54a5b5c95dda80a48365997d1224)`	affected	code_commit	—
`[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,41aafca57de4a4c026701622bd4648f112a9edcd)`	affected	code_commit	—
`[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,4820847e036ff1035b01b69ad68dfc17e7028fe9)`	affected	code_commit	—
`[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,6a3ec6efbc4f90e0ccb2e71574f07351f19996f4)`	affected	code_commit	—
`[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,df6f995358dc1f3c42484f5cfe241d7bd3e1cd15)`	affected	code_commit	—
`[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,88d386243ed374ac969dabd3bbc1409a31d81818)`	affected	code_commit	—
`[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,6aa9841d917532d0f2d932d1ff2f3a94305aaf47)`	affected	code_commit	—
`[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.6`	affected	generic	—
`[0,5.6)`	unaffected	generic	—
`[5.10.253,5.10.*]`	unaffected	generic	—
`[5.15.203,5.15.*]`	unaffected	generic	—
`[6.1.168,6.1.*]`	unaffected	generic	—
`[6.6.131,6.6.*]`	unaffected	generic	—
`[6.12.80,6.12.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—
`[6.19.11,6.19.*]`	unaffected	generic	—
`[6.18.21,6.18.*]`	unaffected	generic	—
`[6.12.80,6.12.*]`	unaffected	generic	—
`[6.6.131,6.6.*]`	unaffected	generic	—
`[6.1.168,6.1.*]`	unaffected	generic	—
`[5.15.203,5.15.*]`	unaffected	generic	—
`[5.10.253,5.10.*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the espintcp skb leak fix (e.g., apply the latest kernel patch series from the vendor).
If immediate kernel upgrade is not possible, restrict or disable ESP over TCP traffic, or enforce strict rate limiting on incoming ESP packets.
Monitor kernel memory consumption and the number of skbs in the network stack; investigate and alert if unexpected growth is observed.

Generated by OpenCVE AI on April 22, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2
https://git.kernel.org/stable/c/41aafca57de4a4c026701622bd4648f112a9edcd
https://git.kernel.org/stable/c/4820847e036ff1035b01b69ad68dfc17e7028fe9
https://git.kernel.org/stable/c/6a3ec6efbc4f90e0ccb2e71574f07351f19996f4
https://git.kernel.org/stable/c/6aa9841d917532d0f2d932d1ff2f3a94305aaf47
https://git.kernel.org/stable/c/88d386243ed374ac969dabd3bbc1409a31d81818
https://git.kernel.org/stable/c/aca3ad0c262f54a5b5c95dda80a48365997d1224
https://git.kernel.org/stable/c/df6f995358dc1f3c42484f5cfe241d7bd3e1cd15
https://lore.kernel.org/linux-cve-announce/2026042211-CVE-2026-31518-ba84@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31518
https://www.cve.org/CVERecord?id=CVE-2026-31518

History

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026042211-CVE-2026-31518-ba84@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31518 https://www.cve.org/CVERecord?id=CVE-2026-31518
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 22 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-459

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: esp: fix skb leak with espintcp and async crypto When the TX queue for espintcp is full, esp_output_tail_tcp will return an error and not free the skb, because with synchronous crypto, the common xfrm output code will drop the packet for us. With async crypto (esp_output_done), we need to drop the skb when esp_output_tail_tcp returns an error.
Title		esp: fix skb leak with espintcp and async crypto
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2 https://git.kernel.org/stable/c/41aafca57de4a4c026701622bd4648f112a9edcd https://git.kernel.org/stable/c/4820847e036ff1035b01b69ad68dfc17e7028fe9 https://git.kernel.org/stable/c/6a3ec6efbc4f90e0ccb2e71574f07351f19996f4 https://git.kernel.org/stable/c/6aa9841d917532d0f2d932d1ff2f3a94305aaf47 https://git.kernel.org/stable/c/88d386243ed374ac969dabd3bbc1409a31d81818 https://git.kernel.org/stable/c/aca3ad0c262f54a5b5c95dda80a48365997d1224 https://git.kernel.org/stable/c/df6f995358dc1f3c42484f5cfe241d7bd3e1cd15

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:54:34.191Z

Updated: 2026-04-22T13:54:34.191Z

Reserved: 2026-03-09T15:48:24.108Z

Link: CVE-2026-31518

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-22T14:16:51.410

Modified: 2026-04-22T14:16:51.410

Link: CVE-2026-31518

Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31518 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T18:45:24Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object