CVE-2026-43090
Analyzed Analyzed - Analysis Complete
Memory Leak in Linux Kernel xfrm Policy Handling

Publication date: 2026-05-06

Last updated on: 2026-05-19

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: fix refcount leak in xfrm_migrate_policy_find syzkaller reported a memory leak in xfrm_policy_alloc: BUG: memory leak unreferenced object 0xffff888114d79000 (size 1024): comm "syz.1.17", pid 931 ... xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432 The root cause is a double call to xfrm_pol_hold_rcu() in xfrm_migrate_policy_find(). The lookup function already returns a policy with held reference, making the second call redundant. Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount imbalance and prevent the memory leak. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43090
EUVD
EUVD-2026-27590
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.24 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.14 (exc)
linux linux_kernel From 6.12 (inc) to 6.12.83 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a memory leak in the Linux kernel's xfrm (IPsec) subsystem, specifically related to the function xfrm_migrate_policy_find.

The issue arises because the function xfrm_migrate_policy_find calls xfrm_pol_hold_rcu() twice unnecessarily. The lookup function already returns a policy with a held reference, so the second call causes a reference count imbalance.

This redundant call leads to a memory leak as the reference count is not properly managed, causing allocated memory to remain unreferenced and not freed.

The fix involves removing the redundant call to xfrm_pol_hold_rcu() to correct the reference count and prevent the leak.

Impact Analysis

This vulnerability can cause a memory leak in the Linux kernel's IPsec policy management.

Over time, the leak could lead to increased memory usage, potentially degrading system performance or causing resource exhaustion.

In environments where IPsec policies are frequently created or migrated, this could lead to instability or crashes if memory is exhausted.

Mitigation Strategies

The vulnerability is fixed by removing the redundant call to xfrm_pol_hold_rcu() in the xfrm_migrate_policy_find() function in the Linux kernel.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43090. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart