CVE-2026-43107
Analyzed Analyzed - Analysis Complete
XFRM State Handling Heap Overflow in Linux Kernel

Publication date: 2026-05-06

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: account XFRMA_IF_ID in aevent size calculation xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is set. xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0) in xfrm_get_ae(), turning a malformed netlink interaction into a kernel panic. Account XFRMA_IF_ID in the size calculation unconditionally and replace the BUG_ON with normal error unwinding.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43107
EUVD
EUVD-2026-27624
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.24 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.14 (exc)
linux linux_kernel From 4.19 (inc) to 6.12.83 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-131 The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's xfrm subsystem, specifically in how it calculates the size for a network event message.

The function xfrm_get_ae() allocates memory for a reply message based on a size calculated by xfrm_aevent_msgsize(). However, xfrm_aevent_msgsize() does not account for the space needed for the XFRMA_IF_ID attribute.

When the if_id field is set, build_aevent() tries to append the XFRMA_IF_ID attribute, which can cause the message size to be insufficient. This leads to a failure with an error code -EMSGSIZE and triggers a BUG_ON condition in xfrm_get_ae(), causing a kernel panic.

The fix involves properly accounting for the XFRMA_IF_ID size in the calculation and replacing the BUG_ON with normal error handling to prevent the kernel panic.

Impact Analysis

This vulnerability can cause a kernel panic in the Linux operating system when a malformed netlink interaction triggers the bug.

A kernel panic results in the system crashing or rebooting unexpectedly, which can lead to denial of service (DoS). This can disrupt normal operations, cause data loss, or require system restarts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43107. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart