CVE-2026-43107

MEDIUM

xfrm: account XFRMA_IF_ID in aevent size calculation

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: account XFRMA_IF_ID in aevent size calculation xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is set. xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0) in xfrm_get_ae(), turning a malformed netlink interaction into a kernel panic. Account XFRMA_IF_ID in the size calculation unconditionally and replace the BUG_ON with normal error unwinding.

Scores

CVSS v3 5.5
EPSS 0.0011
EPSS Percentile 1.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-131
Status published
Products (15)
linux/Kernel 4.19.0 - 6.12.83linux
linux/Kernel 6.13.0 - 6.18.24linux
linux/Kernel 6.19.0 - 6.19.14linux
Linux/Linux < 4.19
Linux/Linux 4.19
Linux/Linux 6.12.83 - 6.12.*
Linux/Linux 6.18.24 - 6.18.*
Linux/Linux 6.19.14 - 6.19.*
Linux/Linux 7.0
Linux/Linux 7e6526404adedf079279aa7aa11722deaca8fe2e - 2c41283d94af943a05f7f2cc1a01f0c872f3cf43
... and 5 more
Published May 06, 2026
Tracked Since May 06, 2026