Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm: fix refcount leak in xfrm_migrate_policy_find

syzkaller reported a memory leak in xfrm_policy_alloc:

BUG: memory leak
unreferenced object 0xffff888114d79000 (size 1024):
comm "syz.1.17", pid 931
...
xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432

The root cause is a double call to xfrm_pol_hold_rcu() in
xfrm_migrate_policy_find(). The lookup function already returns
a policy with held reference, making the second call redundant.

Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount
imbalance and prevent the memory leak.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel had a reference‑counting bug in the xfrm policy migration function that created a memory leak when syzkaller exercised the policy allocation code. A double call to xfrm_pol_hold_rcu() left a policy reference count incremented without a matching decrement, causing an unfreed kernel memory object. This leak can accumulate over time, potentially exhausting system memory and leading to degraded performance or denial of service. The issue is a classic example of CWE‑911, which describes a programming error that causes resource exhaustion.

Affected Systems

All Linux kernel builds that include the xfrm subsystem before the commit that removes the redundant reference increment are impacted. This includes almost every distribution running an unpatched kernel. The vulnerability exists in the kernel source tree, independent of vendor, and any system that uses the unpatched code will be affected.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity rating. The EPSS score of < 1 % and absence from the CISA KEV catalog suggest that public exploitation is uncommon. Based on the description, it is inferred that an attacker would need to influence kernel traffic that triggers policy migration, such as by sending crafted network packets that force an xfrm policy to be migrated. The likely attack vector is remote network traffic that initiates the xfrm policy path, although local privileged users could also trigger the condition. While the risk of exploitation is modest, repeated exploitation could allow an attacker to drain memory resources, resulting in denial of service.

Generated by OpenCVE AI on May 19, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the patch removing the redundant xfrm_pol_hold_rcu() call.
  • Reboot the system to ensure the updated kernel image is active.
  • Monitor system memory usage and kernel logs over the following days to confirm that the memory leak no longer occurs and no new unfreed objects are reported.

Generated by OpenCVE AI on May 19, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm: fix refcount leak in xfrm_migrate_policy_find syzkaller reported a memory leak in xfrm_policy_alloc: BUG: memory leak unreferenced object 0xffff888114d79000 (size 1024): comm "syz.1.17", pid 931 ... xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432 The root cause is a double call to xfrm_pol_hold_rcu() in xfrm_migrate_policy_find(). The lookup function already returns a policy with held reference, making the second call redundant. Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount imbalance and prevent the memory leak. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Title xfrm: fix refcount leak in xfrm_migrate_policy_find
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:17:32.208Z

Reserved: 2026-05-01T14:12:55.984Z

Link: CVE-2026-43090

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:22.313

Modified: 2026-05-19T20:44:03.047

Link: CVE-2026-43090

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43090 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T21:30:14Z

Weaknesses