CVE-2026-43167
Awaiting Analysis Awaiting Analysis - Queue
Memory Leak in Linux Kernel XFRM Subsystem

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: always flush state and policy upon NETDEV_UNREGISTER event syzbot is reporting that "struct xfrm_state" refcount is leaking. unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2 ref_tracker: netdev@ffff888052f24618 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_tracker_alloc include/linux/netdevice.h:4412 [inline] xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316 xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline] xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022 xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550 xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646 __sys_sendmsg+0x16d/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This is because commit d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") implemented xfrm_dev_unregister() as no-op despite xfrm_dev_state_add() from xfrm_state_construct() acquires a reference to "struct net_device". I guess that that commit expected that NETDEV_DOWN event is fired before NETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add() is called only if (dev->features & NETIF_F_HW_ESP) != 0. Sabrina Dubroca identified steps to reproduce the same symptoms as below. echo 0 > /sys/bus/netdevsim/new_device dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/) ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \ spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128 \ offload crypto dev $dev dir out ethtool -K $dev esp-hw-offload off echo 0 > /sys/bus/netdevsim/del_device Like these steps indicate, the NETIF_F_HW_ESP bit can be cleared after xfrm_dev_state_add() acquired a reference to "struct net_device". Also, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit when acquiring a reference to "struct net_device". Commit 03891f820c21 ("xfrm: handle NETDEV_UNREGISTER for xfrm device") re-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that commit for unknown reason chose to share xfrm_dev_down() between the NETDEV_DOWN event and the NETDEV_UNREGISTER event. I guess that that commit missed the behavior in the previous paragraph. Therefore, we need to re-introduce xfrm_dev_unregister() in order to release the reference to "struct net_device" by unconditionally flushing state and policy.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-06
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43167
EUVD
EUVD-2026-27728
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's xfrm subsystem, where a reference count leak occurs due to improper handling of network device unregister events.

Specifically, the function xfrm_dev_unregister() was implemented as a no-op, which means it did not release references to network devices as expected. This leads to a situation where the reference count on a network device structure (struct net_device) is not properly decremented, causing the device to remain in use and not be freed.

The problem arises because the code assumed that the NETDEV_DOWN event would always be fired before NETDEV_UNREGISTER and that certain hardware offloading features would be set, but these assumptions do not always hold true. As a result, references acquired by xfrm_dev_state_add() are not released during device unregister, causing a leak.


How can this vulnerability impact me? :

This vulnerability can cause resource leaks in the Linux kernel by preventing network device structures from being properly freed when they are unregistered.

Over time, this can lead to increased memory usage and potentially degrade system performance or stability, especially on systems that frequently add and remove network devices or use IPsec hardware offloading features.

In environments relying on secure networking features like IPsec, this could also impact the reliability of network security operations.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by observing if the reference count for "struct xfrm_state" is leaking, which may cause the system to wait indefinitely for network devices to become free.

One way to reproduce or detect the issue involves using the netdevsim device and ip xfrm commands as follows:

  • echo 0 > /sys/bus/netdevsim/new_device
  • dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/)
  • ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128 offload crypto dev $dev dir out
  • ethtool -K $dev esp-hw-offload off
  • echo 0 > /sys/bus/netdevsim/del_device

If the system logs show messages like "unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2" or refcount leaks related to xfrm_state, it indicates the presence of this vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by a missing release of references to "struct net_device" during the NETDEV_UNREGISTER event in the xfrm subsystem.

Immediate mitigation involves ensuring that the kernel includes the fix which re-introduces the xfrm_dev_unregister() function to unconditionally flush state and policy, thereby releasing the references properly.

Until the fix is applied, avoid configurations or operations that trigger the NETDEV_UNREGISTER event without proper cleanup, such as hardware offloading with NETIF_F_HW_ESP bit changes after xfrm_dev_state_add() has acquired references.

Monitoring and avoiding the use of IPsec hardware offloading features that may trigger this issue can reduce the risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart