CVE-2026-31471
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: iptfs: only publish mode_data after clone setup
iptfs_clone_state() stores x->mode_data before allocating the reorder window. If that allocation fails, the code frees the cloned state and returns -ENOMEM, leaving x->mode_data pointing at freed memory.
The xfrm clone unwind later runs destroy_state() through x->mode_data, so the failed clone path tears down IPTFS state that clone_state() already freed.
Keep the cloned IPTFS state private until all allocations succeed so failed clones leave x->mode_data unset. The destroy path already handles a NULL mode_data pointer.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 6be02e3e4f376fea468846c8562655ca5ee18204 < 371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1 | affected |
| Linux | Linux | 6be02e3e4f376fea468846c8562655ca5ee18204 < 5784a1e2889c9525a8f036cb586930e232170bf7 | affected |
| Linux | Linux | 6be02e3e4f376fea468846c8562655ca5ee18204 < d849a2f7309fc0616e79d13b008b0a47e0458b6e | affected |
| Linux | Linux | 6.14 | affected |
| Linux | Linux | 0 < 6.14 | unaffected |
| Linux | Linux | 6.18.21 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.11 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1
- https://git.kernel.org/stable/c/5784a1e2889c9525a8f036cb586930e232170bf7
- https://git.kernel.org/stable/c/d849a2f7309fc0616e79d13b008b0a47e0458b6e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.