CVE-2026-31517
Received Received - Intake
Memory Corruption in Linux Kernel xfrm_iptfs Causes skb_put() Panic

Publication date: 2026-04-22

Last updated on: 2026-04-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly In iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner packet 'newskb' that is being reassembled. First a zero-copy approach is tried if it succeeds then newskb becomes non-linear. When a subsequent fragment in the same datagram does not meet the fast-path conditions, a memory copy is performed. It calls skb_put() to append the data and as newskb is non-linear it triggers SKB_LINEAR_ASSERT check. Oops: invalid opcode: 0000 [#1] SMP NOPTI [...] RIP: 0010:skb_put+0x3c/0x40 [...] Call Trace: <IRQ> iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs] iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs] iptfs_input+0x122/0x3e0 [xfrm_iptfs] xfrm_input+0x91e/0x1a50 xfrm4_esp_rcv+0x3a/0x110 ip_protocol_deliver_rcu+0x1d7/0x1f0 ip_local_deliver_finish+0xbe/0x1e0 __netif_receive_skb_core.constprop.0+0xb56/0x1120 __netif_receive_skb_list_core+0x133/0x2b0 netif_receive_skb_list_internal+0x1ff/0x3f0 napi_complete_done+0x81/0x220 virtnet_poll+0x9d6/0x116e [virtio_net] __napi_poll.constprop.0+0x2b/0x270 net_rx_action+0x162/0x360 handle_softirqs+0xdc/0x510 __irq_exit_rcu+0xe7/0x110 irq_exit_rcu+0xe/0x20 common_interrupt+0x85/0xa0 </IRQ> <TASK> Fix this by checking if the skb is non-linear. If it is, linearize it by calling skb_linearize(). As the initial allocation of newskb originally reserved enough tailroom for the entire reassembled packet we do not need to check if we have enough tailroom or extend it.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-28
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31517
EUVD
EUVD-2026-24901
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.14
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.14.1 (inc) to 6.18.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's IP-TFS (IP Transport Flow Security) reassembly code. Specifically, during the reassembly of fragmented packets, the function iptfs_reassem_cont() tries to append data to a new inner packet called 'newskb'. Initially, a zero-copy approach is used which makes 'newskb' non-linear.

If a subsequent fragment does not meet certain fast-path conditions, a memory copy is performed and skb_put() is called to append data. However, because 'newskb' is non-linear at this point, calling skb_put() triggers a kernel panic due to the SKB_LINEAR_ASSERT check failing.

The fix involves checking if 'newskb' is non-linear and, if so, linearizing it by calling skb_linearize() before appending data. This prevents the kernel panic and ensures safe packet reassembly.


How can this vulnerability impact me? :

This vulnerability can cause a kernel panic (system crash) when processing certain fragmented network packets. Such a crash can lead to denial of service (DoS) conditions, making the affected system unstable or unavailable until it is rebooted.

An attacker could potentially exploit this by sending specially crafted fragmented packets to trigger the panic, disrupting network services or causing downtime.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by ensuring that when the skb (socket buffer) is non-linear during IP-TFS packet reassembly, it is linearized by calling skb_linearize().

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix, which prevents the skb_put() panic by properly handling non-linear skbs during reassembly.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a kernel panic caused by a skb_put() call on a non-linear skb during IP-TFS packet reassembly. Detection involves monitoring your system logs for kernel oops or panic messages referencing skb_put, iptfs_reassem_cont, or related stack traces.

You can check your kernel logs for relevant error messages using commands like:

  • dmesg | grep -i 'skb_put'
  • journalctl -k | grep -i 'iptfs_reassem_cont'
  • grep -i 'invalid opcode' /var/log/kern.log

Additionally, monitoring for unexpected kernel panics or crashes related to network packet processing may indicate exploitation attempts.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart