Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm: account XFRMA_IF_ID in aevent size calculation

xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then
build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is
set.

xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states
with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0)
in xfrm_get_ae(), turning a malformed netlink interaction into a kernel
panic.

Account XFRMA_IF_ID in the size calculation unconditionally and replace
the BUG_ON with normal error unwinding.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Linux kernel’s XFRM layer causes the size of a netlink event message to be miscalculated when an interface identifier is present. This oversight allows the build process to fail, triggering an unconditional BUG_ON that culminates in a kernel panic. The result is a denial of service whereby a malformed netlink request can bring the system offline. The vulnerability stems from improper input validation and missing message size accounting, leading to a catastrophic kernel failure. In practice, an attacker who can craft such a netlink payload – potentially a privileged user or an application with CAP_NET_ADMIN – can exploit this flaw to destabilize the host. The documented fix removes the BUG_ON and adds proper error handling, thus preventing the panic.

Affected Systems

All Linux kernel releases earlier than the commit that adds XFRMA_IF_ID to the event size calculation are affected. The fix appears in the kernel commit series referenced by the advisory links, specifically the commit identified by hash e62e322ea20be78e346e4b49f9a6b9f03313af4c. No specific version numbers are listed, so any deployment running an unpatched kernel is vulnerable.

Risk and Exploitability

EPSS is less than 1%, indicating a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 5.5 indicates moderate severity due to the potential for a kernel panic. The likely attack vector is a local user with netlink privileges, requiring CAP_NET_ADMIN or root to send the crafted message. The CVE description does not state that users with limited privileges can exploit this flaw; any such capability would depend on additional vulnerabilities or misconfigurations. Once exploited, the system will reboot or halt, leading to an outage. The risk is therefore significant in environments where the XFRM subsystem is active and the kernel cannot be updated promptly.

Generated by OpenCVE AI on May 7, 2026 at 04:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the commit fixing the XFRM event size calculation (commit e62e322ea20be78e346e4b49f9a6b9f03313af4c).
  • Restrict or revoke CAP_NET_ADMIN from untrusted processes, limiting access to the XFRM netlink interface until the patch can be applied.
  • Disable the XFRM subsystem or related IPsec functionality if it is not required, preventing the vulnerable code from executing.

Generated by OpenCVE AI on May 7, 2026 at 04:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Thu, 07 May 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-269

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-269

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm: account XFRMA_IF_ID in aevent size calculation xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is set. xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0) in xfrm_get_ae(), turning a malformed netlink interaction into a kernel panic. Account XFRMA_IF_ID in the size calculation unconditionally and replace the BUG_ON with normal error unwinding.
Title xfrm: account XFRMA_IF_ID in aevent size calculation
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:17:52.325Z

Reserved: 2026-05-01T14:12:55.986Z

Link: CVE-2026-43107

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:24.330

Modified: 2026-05-11T17:30:05.550

Link: CVE-2026-43107

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43107 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T04:45:16Z

Weaknesses