CVE-2026-31472
Received Received - Intake
Infinite Loop Vulnerability in Linux Kernel IPTFS IPv4 Header Parsing

Publication date: 2026-04-22

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: validate inner IPv4 header length in IPTFS payload Add validation of the inner IPv4 packet tot_len and ihl fields parsed from decrypted IPTFS payloads in __input_process_payload(). A crafted ESP packet containing an inner IPv4 header with tot_len=0 causes an infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the data offset never advances and the while(data < tail) loop never terminates, spinning forever in softirq context. Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct iphdr), which catches both the tot_len=0 case and malformed ihl values. The normal IP stack performs this validation in ip_rcv_core(), but IPTFS extracts and processes inner packets before they reach that layer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-27
Generated
2026-05-06
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31472
EUVD
EUVD-2026-24823
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.14
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.14.1 (inc) to 6.18.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's handling of IPTFS (IP Transport Flow Security) payloads. Specifically, it involves improper validation of the inner IPv4 header length fields (tot_len and ihl) within decrypted IPTFS payloads. A crafted ESP packet with an inner IPv4 header where tot_len is set to 0 can cause an infinite loop during processing. This happens because the data offset does not advance, causing the processing loop to spin indefinitely in softirq context.

The fix involves adding validation to reject inner IPv4 packets where the total length is less than the header length multiplied by 4, or where the header length multiplied by 4 is less than the size of the IPv4 header structure. This prevents malformed packets from causing the infinite loop.


How can this vulnerability impact me? :

This vulnerability can cause a denial of service condition by making the Linux kernel enter an infinite loop when processing specially crafted ESP packets with malformed inner IPv4 headers. The infinite loop occurs in softirq context, which can lead to system resource exhaustion and potentially degrade or halt network processing on the affected system.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by validating the inner IPv4 header length in IPTFS payloads within the Linux kernel. Immediate mitigation involves updating the Linux kernel to a version that includes this fix.

Specifically, the fix rejects inner IPv4 packets where the total length field is less than the header length multiplied by 4, or where the header length multiplied by 4 is less than the size of the IPv4 header structure. This prevents infinite loops caused by crafted ESP packets with invalid inner IPv4 headers.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart