{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31471", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.098Z", "datePublished": "2026-04-22T13:53:59.595Z", "dateUpdated": "2026-04-22T13:53:59.595Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:53:59.595Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: only publish mode_data after clone setup\n\niptfs_clone_state() stores x->mode_data before allocating the reorder\nwindow. If that allocation fails, the code frees the cloned state and\nreturns -ENOMEM, leaving x->mode_data pointing at freed memory.\n\nThe xfrm clone unwind later runs destroy_state() through x->mode_data,\nso the failed clone path tears down IPTFS state that clone_state()\nalready freed.\n\nKeep the cloned IPTFS state private until all allocations succeed so\nfailed clones leave x->mode_data unset. The destroy path already\nhandles a NULL mode_data pointer."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xfrm/xfrm_iptfs.c"], "versions": [{"version": "6be02e3e4f376fea468846c8562655ca5ee18204", "lessThan": "371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1", "status": "affected", "versionType": "git"}, {"version": "6be02e3e4f376fea468846c8562655ca5ee18204", "lessThan": "5784a1e2889c9525a8f036cb586930e232170bf7", "status": "affected", "versionType": "git"}, {"version": "6be02e3e4f376fea468846c8562655ca5ee18204", "lessThan": "d849a2f7309fc0616e79d13b008b0a47e0458b6e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xfrm/xfrm_iptfs.c"], "versions": [{"version": "6.14", "status": "affected"}, {"version": "0", "lessThan": "6.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1"}, {"url": "https://git.kernel.org/stable/c/5784a1e2889c9525a8f036cb586930e232170bf7"}, {"url": "https://git.kernel.org/stable/c/d849a2f7309fc0616e79d13b008b0a47e0458b6e"}], "title": "xfrm: iptfs: only publish mode_data after clone setup", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: only publish mode_data after clone setup\n\niptfs_clone_state() stores x->mode_data before allocating the reorder\nwindow. If that allocation fails, the code frees the cloned state and\nreturns -ENOMEM, leaving x->mode_data pointing at freed memory.\n\nThe xfrm clone unwind later runs destroy_state() through x->mode_data,\nso the failed clone path tears down IPTFS state that clone_state()\nalready freed.\n\nKeep the cloned IPTFS state private until all allocations succeed so\nfailed clones leave x->mode_data unset. The destroy path already\nhandles a NULL mode_data pointer."}], "id": "CVE-2026-31471", "lastModified": "2026-04-22T14:16:43.610", "metrics": {}, "published": "2026-04-22T14:16:43.610", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5784a1e2889c9525a8f036cb586930e232170bf7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d849a2f7309fc0616e79d13b008b0a47e0458b6e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6be02e3e4f376fea468846c8562655ca5ee18204,371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6be02e3e4f376fea468846c8562655ca5ee18204,5784a1e2889c9525a8f036cb586930e232170bf7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6be02e3e4f376fea468846c8562655ca5ee18204,d849a2f7309fc0616e79d13b008b0a47e0458b6e)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.14"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.14)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T18:58:54.045918+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that includes the commit that fixes the xfrm:iptfs clone logic", "If IPTFS or IPsec is not required, disable these features or restrict their use through configuration or network policy", "Enable kernel auditing and monitor system logs for IPsec\u2011related crashes or panics to detect exploitation attempts"], "summary": {"action": "Immediate Patch", "impact": "Use\u2011after\u2011free that can lead to kernel memory corruption and system crash"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in all kernel builds that contain the buggy xfrm:iptfs clone logic, and no specific version range is provided; any Linux system running a kernel prior to the patch that introduced the fix is affected. Users should check that their kernel contains commit 371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1 or later.\n", "description_and_impact": "In the Linux kernel a failure to allocate an IPTFS reorder window leaves the mode_data pointer pointing to freed memory; subsequent teardown routines use this dangling pointer, creating a use\u2011after\u2011free condition. This bug can corrupt kernel state, potentially allowing privilege escalation or untrusted code execution, and can also cause the kernel to crash, resulting in a denial of service.\n", "risk_and_exploitability": "The CVSS score is not disclosed, and the EPSS value is unavailable, but the bug involves kernel\u2011level memory corruption with local\u2013realm exploitation potential. Because the vulnerability is a classic use\u2011after\u2011free (CWE\u2011416) that can crash or compromise a privileged process, its likelihood of exploitation is significant in environments with active IPsec/second\u2011level tunneling. It is not yet catalogued in CISA KEV, but it should be treated as a high\u2011risk kernel flaw until fully mitigated."}}}}, "created": "2026-04-22T16:45:21.251347+00:00", "updated": "2026-04-22T19:00:08.097372+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}