CVE-2026-43090 - Vulnerability Details

- xfrm: fix refcount leak in xfrm_migrate_policy_find

Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: fix refcount leak in xfrm_migrate_policy_find

syzkaller reported a memory leak in xfrm_policy_alloc:

BUG: memory leak
unreferenced object 0xffff888114d79000 (size 1024):
comm "syz.1.17", pid 931
...
xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432

The root cause is a double call to xfrm_pol_hold_rcu() in
xfrm_migrate_policy_find(). The lookup function already returns
a policy with held reference, making the second call redundant.

Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount
imbalance and prevent the memory leak.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel had a reference‑counting bug in the xfrm policy migration function that caused a memory leak when syzkaller exercised the policy allocation path. The double call to xfrm_pol_hold_rcu() left a reference held, resulting in an unreferenced object that never freed. This leak can accumulate over time, potentially exhausting memory and degrading system stability. The fix removes the redundant call, restoring correct reference counting.

Affected Systems

All Linux kernel builds that include the xfrm subsystem prior to the commit that removes the redundant reference increment are affected. The issue is present in the kernel source tree regardless of distribution; any vendor using an unchanged kernel may be impacted.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA KEV, indicating limited public exploitation data. Because the leak only manifests during specific policy migration scenarios, an attacker would need influence over kernel traffic or the ability to trigger these conditions, making the likelihood of exploitation modest. However, the potential for memory exhaustion could lead to denial of service if the leak is sufficiently large or if the system is under heavy load.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`563d5ca93e883b9dcb4b7dc8967ac569fd91820d`	affected	< 21e235a36cfb6d145cefb10728f12f5dc5412f54
`563d5ca93e883b9dcb4b7dc8967ac569fd91820d`	affected	< 836ee1b0426ea3db31531e9581cc32f513d24e32
`563d5ca93e883b9dcb4b7dc8967ac569fd91820d`	affected	< 70c2a89a3bc207c3bfbf6f21bb439809e0a4a27a
`563d5ca93e883b9dcb4b7dc8967ac569fd91820d`	affected	< 83317cce60a032c49480dcdabe146435bd689d03

Linux

affected

Version	Status	Constraints
`6.12`	affected	—
`0`	unaffected	< 6.12
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[563d5ca93e883b9dcb4b7dc8967ac569fd91820d,21e235a36cfb6d145cefb10728f12f5dc5412f54)`	affected	code_commit	—
`[563d5ca93e883b9dcb4b7dc8967ac569fd91820d,836ee1b0426ea3db31531e9581cc32f513d24e32)`	affected	code_commit	—
`[563d5ca93e883b9dcb4b7dc8967ac569fd91820d,70c2a89a3bc207c3bfbf6f21bb439809e0a4a27a)`	affected	code_commit	—
`[563d5ca93e883b9dcb4b7dc8967ac569fd91820d,83317cce60a032c49480dcdabe146435bd689d03)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.12`	affected	generic	—
`[0,6.12)`	unaffected	generic	—
`[6.12.83,6.13.0)`	unaffected	semver	—
`[6.18.24,6.19.0)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that removes the redundant xfrm_pol_hold_rcu() call and rebuild or update to a kernel version containing the fix.
Reboot the system or perform a cold boot to ensure the updated kernel image is running.
After applying the patch, monitor system memory usage to confirm that the leak has been resolved and no new memory objects remain unfreed.

Generated by OpenCVE AI on May 6, 2026 at 11:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/21e235a36cfb6d145cefb10728f12f5dc5412f54
https://git.kernel.org/stable/c/70c2a89a3bc207c3bfbf6f21bb439809e0a4a27a
https://git.kernel.org/stable/c/83317cce60a032c49480dcdabe146435bd689d03
https://git.kernel.org/stable/c/836ee1b0426ea3db31531e9581cc32f513d24e32

History

Wed, 06 May 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xfrm: fix refcount leak in xfrm_migrate_policy_find syzkaller reported a memory leak in xfrm_policy_alloc: BUG: memory leak unreferenced object 0xffff888114d79000 (size 1024): comm "syz.1.17", pid 931 ... xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432 The root cause is a double call to xfrm_pol_hold_rcu() in xfrm_migrate_policy_find(). The lookup function already returns a policy with held reference, making the second call redundant. Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount imbalance and prevent the memory leak. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Title		xfrm: fix refcount leak in xfrm_migrate_policy_find
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/21e235a36cfb6d145cefb10728f12f5dc5412f54 https://git.kernel.org/stable/c/70c2a89a3bc207c3bfbf6f21bb439809e0a4a27a https://git.kernel.org/stable/c/83317cce60a032c49480dcdabe146435bd689d03 https://git.kernel.org/stable/c/836ee1b0426ea3db31531e9581cc32f513d24e32

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T07:40:23.286Z

Updated: 2026-05-06T07:40:23.286Z

Reserved: 2026-05-01T14:12:55.984Z

Link: CVE-2026-43090

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-06T10:16:22.313

Modified: 2026-05-06T10:16:22.313

Link: CVE-2026-43090

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T12:00:03Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object