{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31517", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.108Z", "datePublished": "2026-04-22T13:54:33.522Z", "dateUpdated": "2026-04-22T13:54:33.522Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:54:33.522Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly\n\nIn iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner\npacket 'newskb' that is being reassembled. First a zero-copy approach is\ntried if it succeeds then newskb becomes non-linear.\n\nWhen a subsequent fragment in the same datagram does not meet the\nfast-path conditions, a memory copy is performed. It calls skb_put() to\nappend the data and as newskb is non-linear it triggers\nSKB_LINEAR_ASSERT check.\n\n Oops: invalid opcode: 0000 [#1] SMP NOPTI\n [...]\n RIP: 0010:skb_put+0x3c/0x40\n [...]\n Call Trace:\n <IRQ>\n iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs]\n iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs]\n iptfs_input+0x122/0x3e0 [xfrm_iptfs]\n xfrm_input+0x91e/0x1a50\n xfrm4_esp_rcv+0x3a/0x110\n ip_protocol_deliver_rcu+0x1d7/0x1f0\n ip_local_deliver_finish+0xbe/0x1e0\n __netif_receive_skb_core.constprop.0+0xb56/0x1120\n __netif_receive_skb_list_core+0x133/0x2b0\n netif_receive_skb_list_internal+0x1ff/0x3f0\n napi_complete_done+0x81/0x220\n virtnet_poll+0x9d6/0x116e [virtio_net]\n __napi_poll.constprop.0+0x2b/0x270\n net_rx_action+0x162/0x360\n handle_softirqs+0xdc/0x510\n __irq_exit_rcu+0xe7/0x110\n irq_exit_rcu+0xe/0x20\n common_interrupt+0x85/0xa0\n </IRQ>\n <TASK>\n\nFix this by checking if the skb is non-linear. If it is, linearize it by\ncalling skb_linearize(). As the initial allocation of newskb originally\nreserved enough tailroom for the entire reassembled packet we do not\nneed to check if we have enough tailroom or extend it."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xfrm/xfrm_iptfs.c"], "versions": [{"version": "5f2b6a9095743a6bf1f34c43c4fe78fa8bdf5ad7", "lessThan": "33a7b36268933c75bdc355e5531951e0ea9f1951", "status": "affected", "versionType": "git"}, {"version": "5f2b6a9095743a6bf1f34c43c4fe78fa8bdf5ad7", "lessThan": "7fdfe8f6efeb0e1200e22a903f2471539f54522b", "status": "affected", "versionType": "git"}, {"version": "5f2b6a9095743a6bf1f34c43c4fe78fa8bdf5ad7", "lessThan": "0b352f83cabfefdaafa806d6471f0eca117dc7d5", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xfrm/xfrm_iptfs.c"], "versions": [{"version": "6.14", "status": "affected"}, {"version": "0", "lessThan": "6.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/33a7b36268933c75bdc355e5531951e0ea9f1951"}, {"url": "https://git.kernel.org/stable/c/7fdfe8f6efeb0e1200e22a903f2471539f54522b"}, {"url": "https://git.kernel.org/stable/c/0b352f83cabfefdaafa806d6471f0eca117dc7d5"}], "title": "xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly\n\nIn iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner\npacket 'newskb' that is being reassembled. First a zero-copy approach is\ntried if it succeeds then newskb becomes non-linear.\n\nWhen a subsequent fragment in the same datagram does not meet the\nfast-path conditions, a memory copy is performed. It calls skb_put() to\nappend the data and as newskb is non-linear it triggers\nSKB_LINEAR_ASSERT check.\n\n Oops: invalid opcode: 0000 [#1] SMP NOPTI\n [...]\n RIP: 0010:skb_put+0x3c/0x40\n [...]\n Call Trace:\n <IRQ>\n iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs]\n iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs]\n iptfs_input+0x122/0x3e0 [xfrm_iptfs]\n xfrm_input+0x91e/0x1a50\n xfrm4_esp_rcv+0x3a/0x110\n ip_protocol_deliver_rcu+0x1d7/0x1f0\n ip_local_deliver_finish+0xbe/0x1e0\n __netif_receive_skb_core.constprop.0+0xb56/0x1120\n __netif_receive_skb_list_core+0x133/0x2b0\n netif_receive_skb_list_internal+0x1ff/0x3f0\n napi_complete_done+0x81/0x220\n virtnet_poll+0x9d6/0x116e [virtio_net]\n __napi_poll.constprop.0+0x2b/0x270\n net_rx_action+0x162/0x360\n handle_softirqs+0xdc/0x510\n __irq_exit_rcu+0xe7/0x110\n irq_exit_rcu+0xe/0x20\n common_interrupt+0x85/0xa0\n </IRQ>\n <TASK>\n\nFix this by checking if the skb is non-linear. If it is, linearize it by\ncalling skb_linearize(). As the initial allocation of newskb originally\nreserved enough tailroom for the entire reassembled packet we do not\nneed to check if we have enough tailroom or extend it."}], "id": "CVE-2026-31517", "lastModified": "2026-04-22T14:16:51.273", "metrics": {}, "published": "2026-04-22T14:16:51.273", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0b352f83cabfefdaafa806d6471f0eca117dc7d5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/33a7b36268933c75bdc355e5531951e0ea9f1951"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7fdfe8f6efeb0e1200e22a903f2471539f54522b"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5f2b6a9095743a6bf1f34c43c4fe78fa8bdf5ad7,33a7b36268933c75bdc355e5531951e0ea9f1951)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5f2b6a9095743a6bf1f34c43c4fe78fa8bdf5ad7,7fdfe8f6efeb0e1200e22a903f2471539f54522b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5f2b6a9095743a6bf1f34c43c4fe78fa8bdf5ad7,0b352f83cabfefdaafa806d6471f0eca117dc7d5)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.14"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.14)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T18:38:05.510994+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a release that includes the fix for IPTFS reassembly, using your distribution\u2019s security update channel.", "If an update cannot be applied immediately, disable IPTFS processing in the kernel configuration or via sysctl to prevent the reassembly code from executing.", "Restrict or block inbound fragmented IP traffic that would otherwise reach the kernel, and monitor system logs for panics to act swiftly when the issue persists."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service (kernel crash)"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in any Linux kernel that implements the IPTFS feature, and no specific version range is specified in the advisory. All affected systems using the default IPTFS configuration are at risk until the patch is applied. ", "description_and_impact": "The flaw occurs in the Linux kernel\u2019s IPTFS packet reassembly logic when a non\u2011linear socket buffer is mistakenly appended to with skb_put, triggering the SKB_LINEAR_ASSERT check and causing a kernel panic. A malicious sender can craft fragmented IP packets that exercise this path, forcing the system to reboot or halt, which disrupts availability for that host. ", "risk_and_exploitability": "No CVSS or EPSS score is provided and the issue is not listed in the CISA KEV catalog, but the crash\u2011based nature of the flaw gives it high exploitability via network traffic. An attacker can target a host by sending a series of IP fragments that trigger the reassembly path. The only known mitigation is to apply the vendor\u2019s fix or otherwise disable IPTFS processing. "}}}}, "created": "2026-04-22T18:45:24.009318+00:00", "updated": "2026-04-22T19:00:07.811194+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-20", "CWE-119"]}