CVE-2026-43139 - Vulnerability Details

- xfrm6: fix uninitialized saddr in xfrm6_get_saddr()

Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm6: fix uninitialized saddr in xfrm6_get_saddr()

xfrm6_get_saddr() does not check the return value of
ipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitable
source address (returns -EADDRNOTAVAIL), saddr->in6 is left
uninitialized, but xfrm6_get_saddr() still returns 0 (success).

This causes the caller xfrm_tmpl_resolve_one() to use the uninitialized
address in xfrm_state_find(), triggering KMSAN warning:

=====================================================
BUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940
xfrm_state_find+0x2424/0xa940
xfrm_resolve_and_create_bundle+0x906/0x5a20
xfrm_lookup_with_ifid+0xcc0/0x3770
xfrm_lookup_route+0x63/0x2b0
ip_route_output_flow+0x1ce/0x270
udp_sendmsg+0x2ce1/0x3400
inet_sendmsg+0x1ef/0x2a0
__sock_sendmsg+0x278/0x3d0
__sys_sendto+0x593/0x720
__x64_sys_sendto+0x130/0x200
x64_sys_call+0x332b/0x3e70
do_syscall_64+0xd3/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Local variable tmp.i.i created at:
xfrm_resolve_and_create_bundle+0x3e3/0x5a20
xfrm_lookup_with_ifid+0xcc0/0x3770
=====================================================

Fix by checking the return value of ipv6_dev_get_saddr() and propagating
the error.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs in the xfrm6 module of the Linux kernel where the function xfrm6_get_saddr() fails to check the return value of ipv6_dev_get_saddr(). When that helper reports no available source address, the address structure remains uninitialized, yet xfrm6_get_saddr() still signals success. Subsequent code that uses this address, such as xfrm_state_find(), may work with garbage data, leading to kernel memory corruption, KMSAN warnings, and potentially a kernel panic, resulting in a denial of service.

Affected Systems

All Linux kernel installations that contain the xfrm6 module before the patch are affected. The vendor entries list Linux:Linux, indicating that any distribution using the standard Linux kernel is potentially impacted. No specific version list is supplied, so any kernel older than the commit that fixes the error is vulnerable.

Risk and Exploitability

Risk is uncertain because no CVSS or EPSS score is provided and the vulnerability is not listed in CISA KEV. The likely attack vector is local; an attacker would need the ability to invoke xfrm_tmpl_resolve_one(), for example by sending particular UDP packets that trigger address resolution. No public exploits have been documented, and the kernel does not expose an obvious remote trigger. However, local privilege escalation could allow a user to exercise the flaw, potentially causing a system crash or other disruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a1e59abf824969554b90facd44a4ab16e265afa4`	affected	< 4f28141786e1fe884ce42a5197ba9beed540f0ea
`a1e59abf824969554b90facd44a4ab16e265afa4`	affected	< 6535867673bf301d52aa00593a4d1d18cc3922fa
`a1e59abf824969554b90facd44a4ab16e265afa4`	affected	< eb2ee15290af14c60b45cf2b73f5687d1d077d9b
`a1e59abf824969554b90facd44a4ab16e265afa4`	affected	< 719918fc88df6da023dfff370cd965151a5afd7f
`a1e59abf824969554b90facd44a4ab16e265afa4`	affected	< dc0abce055134cb83b0d981d31ceb20dda419787
`a1e59abf824969554b90facd44a4ab16e265afa4`	affected	< c7221e7bd8fc2ef38a0b27be580d9d202281306b
`a1e59abf824969554b90facd44a4ab16e265afa4`	affected	< 3dcd1664ac15eee6a690daec7c4ffc59190406f7
`a1e59abf824969554b90facd44a4ab16e265afa4`	affected	< 1799d8abeabc68ec05679292aaf6cba93b343c05

Linux

affected

Version	Status	Constraints
`2.6.19`	affected	—
`0`	unaffected	< 2.6.19
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[a1e59abf824969554b90facd44a4ab16e265afa4,4f28141786e1fe884ce42a5197ba9beed540f0ea)`	affected	code_commit	—
`[a1e59abf824969554b90facd44a4ab16e265afa4,6535867673bf301d52aa00593a4d1d18cc3922fa)`	affected	code_commit	—
`[a1e59abf824969554b90facd44a4ab16e265afa4,eb2ee15290af14c60b45cf2b73f5687d1d077d9b)`	affected	code_commit	—
`[a1e59abf824969554b90facd44a4ab16e265afa4,719918fc88df6da023dfff370cd965151a5afd7f)`	affected	code_commit	—
`[a1e59abf824969554b90facd44a4ab16e265afa4,dc0abce055134cb83b0d981d31ceb20dda419787)`	affected	code_commit	—
`[a1e59abf824969554b90facd44a4ab16e265afa4,c7221e7bd8fc2ef38a0b27be580d9d202281306b)`	affected	code_commit	—
`[a1e59abf824969554b90facd44a4ab16e265afa4,3dcd1664ac15eee6a690daec7c4ffc59190406f7)`	affected	code_commit	—
`[a1e59abf824969554b90facd44a4ab16e265afa4,1799d8abeabc68ec05679292aaf6cba93b343c05)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.19`	affected	semver	—
`[0,2.6.19)`	unaffected	semver	—
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that contains the xfrm6_get_saddr() patch so that source address failures are properly handled.
Configure static IPv6 routes or predefine valid source addresses to reduce the likelihood that ipv6_dev_get_saddr() will fail.
Monitor system logs for KMSAN warnings or kernel panics that may indicate a remaining vulnerability.

Generated by OpenCVE AI on May 6, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1799d8abeabc68ec05679292aaf6cba93b343c05
https://git.kernel.org/stable/c/3dcd1664ac15eee6a690daec7c4ffc59190406f7
https://git.kernel.org/stable/c/4f28141786e1fe884ce42a5197ba9beed540f0ea
https://git.kernel.org/stable/c/6535867673bf301d52aa00593a4d1d18cc3922fa
https://git.kernel.org/stable/c/719918fc88df6da023dfff370cd965151a5afd7f
https://git.kernel.org/stable/c/c7221e7bd8fc2ef38a0b27be580d9d202281306b
https://git.kernel.org/stable/c/dc0abce055134cb83b0d981d31ceb20dda419787
https://git.kernel.org/stable/c/eb2ee15290af14c60b45cf2b73f5687d1d077d9b

History

Wed, 06 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-457

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xfrm6: fix uninitialized saddr in xfrm6_get_saddr() xfrm6_get_saddr() does not check the return value of ipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitable source address (returns -EADDRNOTAVAIL), saddr->in6 is left uninitialized, but xfrm6_get_saddr() still returns 0 (success). This causes the caller xfrm_tmpl_resolve_one() to use the uninitialized address in xfrm_state_find(), triggering KMSAN warning: ===================================================== BUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940 xfrm_state_find+0x2424/0xa940 xfrm_resolve_and_create_bundle+0x906/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 xfrm_lookup_route+0x63/0x2b0 ip_route_output_flow+0x1ce/0x270 udp_sendmsg+0x2ce1/0x3400 inet_sendmsg+0x1ef/0x2a0 __sock_sendmsg+0x278/0x3d0 __sys_sendto+0x593/0x720 __x64_sys_sendto+0x130/0x200 x64_sys_call+0x332b/0x3e70 do_syscall_64+0xd3/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable tmp.i.i created at: xfrm_resolve_and_create_bundle+0x3e3/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 ===================================================== Fix by checking the return value of ipv6_dev_get_saddr() and propagating the error.
Title		xfrm6: fix uninitialized saddr in xfrm6_get_saddr()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1799d8abeabc68ec05679292aaf6cba93b343c05 https://git.kernel.org/stable/c/3dcd1664ac15eee6a690daec7c4ffc59190406f7 https://git.kernel.org/stable/c/4f28141786e1fe884ce42a5197ba9beed540f0ea https://git.kernel.org/stable/c/6535867673bf301d52aa00593a4d1d18cc3922fa https://git.kernel.org/stable/c/719918fc88df6da023dfff370cd965151a5afd7f https://git.kernel.org/stable/c/c7221e7bd8fc2ef38a0b27be580d9d202281306b https://git.kernel.org/stable/c/dc0abce055134cb83b0d981d31ceb20dda419787 https://git.kernel.org/stable/c/eb2ee15290af14c60b45cf2b73f5687d1d077d9b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:24.898Z

Updated: 2026-05-06T11:27:24.898Z

Reserved: 2026-05-01T14:12:55.988Z

Link: CVE-2026-43139

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:31.227

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43139

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T17:00:05Z

Weaknesses

CWE-457

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object