CVE-2026-43139
Memory Corruption in Linux Kernel XFRM6
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux_kernel | linux_kernel | * |
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's xfrm6_get_saddr() function. The function calls ipv6_dev_get_saddr() to obtain a suitable source IPv6 address but does not check if this call fails. When ipv6_dev_get_saddr() fails to find a suitable source address, it returns an error code, but xfrm6_get_saddr() still treats this as a success and leaves the source address uninitialized.
As a result, the uninitialized source address is used by the caller function xfrm_tmpl_resolve_one() in xfrm_state_find(), which can lead to undefined behavior and triggers a Kernel Memory Sanitizer (KMSAN) warning about using uninitialized memory.
The vulnerability was fixed by adding proper error checking for the return value of ipv6_dev_get_saddr() and propagating the error instead of proceeding with an uninitialized address.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to use uninitialized memory when handling IPv6 source addresses in certain network operations. This can lead to unpredictable behavior, including potential kernel crashes or instability.
Additionally, the use of uninitialized memory may expose sensitive kernel memory contents, which could be exploited by a local attacker to gain information or escalate privileges.
Overall, this vulnerability impacts system reliability and security, especially in environments relying on IPv6 networking and the xfrm subsystem.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes a Kernel Memory Sanitizer (KMSAN) warning related to the use of an uninitialized source address in the Linux kernel's xfrm6_get_saddr() function.
Detection can be done by monitoring kernel logs for KMSAN warnings similar to the following message:
- BUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940
To detect this on your system, you can check the kernel logs using commands such as:
- dmesg | grep -i kmsan
- journalctl -k | grep -i kmsan
These commands will help identify if the kernel has logged any KMSAN warnings related to this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by ensuring the return value of ipv6_dev_get_saddr() is checked and errors are properly propagated in the Linux kernel code.
Immediate mitigation steps include:
- Update your Linux kernel to a version that includes the fix for this vulnerability.
- Monitor kernel logs for KMSAN warnings to detect any exploitation attempts.
- If updating the kernel is not immediately possible, consider disabling features or modules related to xfrm6 or IPv6 source address selection, if feasible, to reduce exposure.