CVE-2026-31471

HIGH

xfrm: iptfs: only publish mode_data after clone setup

Title source: cna

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: only publish mode_data after clone setup iptfs_clone_state() stores x->mode_data before allocating the reorder window. If that allocation fails, the code frees the cloned state and returns -ENOMEM, leaving x->mode_data pointing at freed memory. The xfrm clone unwind later runs destroy_state() through x->mode_data, so the failed clone path tears down IPTFS state that clone_state() already freed. Keep the cloned IPTFS state private until all allocations succeed so failed clones leave x->mode_data unset. The destroy path already handles a NULL mode_data pointer.

References (3)

Core 3

Core References

https://git.kernel.org/stable/c/371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1

https://git.kernel.org/stable/c/5784a1e2889c9525a8f036cb586930e232170bf7

https://git.kernel.org/stable/c/d849a2f7309fc0616e79d13b008b0a47e0458b6e

Scores

CVSS v3 7.8

EPSS 0.0001

EPSS Percentile 3.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-415

Status published

Products (10)

Linux/Linux < 6.14

Linux/Linux 6.14

Linux/Linux 6.18.21 - 6.18.*

Linux/Linux 6.19.11 - 6.19.*

Linux/Linux 6be02e3e4f376fea468846c8562655ca5ee18204 - 371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1

Linux/Linux 6be02e3e4f376fea468846c8562655ca5ee18204 - 5784a1e2889c9525a8f036cb586930e232170bf7

Linux/Linux 6be02e3e4f376fea468846c8562655ca5ee18204 - d849a2f7309fc0616e79d13b008b0a47e0458b6e

Linux/Linux 7.0

linux/linux_kernel 7.0 rc1 (5 CPE variants)

linux/linux_kernel 6.14 - 6.18.21

Published Apr 22, 2026

Tracked Since Apr 22, 2026