CVE-2026-43107
XFRM State Handling Heap Overflow in Linux Kernel
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's xfrm subsystem, specifically in how it calculates the size for a network event message.
The function xfrm_get_ae() allocates memory for a reply message based on a size calculated by xfrm_aevent_msgsize(). However, xfrm_aevent_msgsize() does not account for the space needed for the XFRMA_IF_ID attribute.
When the if_id field is set, build_aevent() tries to append the XFRMA_IF_ID attribute, which can cause the message size to be insufficient. This leads to a failure with an error code -EMSGSIZE and triggers a BUG_ON condition in xfrm_get_ae(), causing a kernel panic.
The fix involves properly accounting for the XFRMA_IF_ID size in the calculation and replacing the BUG_ON with normal error handling to prevent the kernel panic.
How can this vulnerability impact me? :
This vulnerability can cause a kernel panic in the Linux operating system when a malformed netlink interaction triggers the bug.
A kernel panic results in the system crashing or rebooting unexpectedly, which can lead to denial of service (DoS). This can disrupt normal operations, cause data loss, or require system restarts.