CVE-2026-31471
Use-After-Free in Linux Kernel IPTFS Clone State Handling
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's xfrm subsystem related to IPTFS (IP Tunnel Fast Segment). The issue occurs because the function iptfs_clone_state() stores a pointer to mode_data before successfully allocating a reorder window. If the allocation fails, the cloned state is freed but the mode_data pointer still references the freed memory. Later, when the destroy_state() function is called through this mode_data pointer, it attempts to tear down IPTFS state that has already been freed, leading to potential use-after-free or memory corruption.
The fix involves keeping the cloned IPTFS state private until all allocations succeed, ensuring that if cloning fails, the mode_data pointer remains unset (NULL). The destroy path is designed to safely handle a NULL mode_data pointer, preventing the issue.
How can this vulnerability impact me? :
This vulnerability can lead to use-after-free conditions or memory corruption within the Linux kernel's networking subsystem. Such issues may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if they can trigger the faulty clone operation.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is resolved by ensuring that the cloned IPTFS state is kept private until all allocations succeed, preventing mode_data from pointing to freed memory.
To mitigate this vulnerability immediately, update your Linux kernel to a version that includes the fix for this issue.