{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31518", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.108Z", "datePublished": "2026-04-22T13:54:34.191Z", "dateUpdated": "2026-04-22T13:54:34.191Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:54:34.191Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nesp: fix skb leak with espintcp and async crypto\n\nWhen the TX queue for espintcp is full, esp_output_tail_tcp will\nreturn an error and not free the skb, because with synchronous crypto,\nthe common xfrm output code will drop the packet for us.\n\nWith async crypto (esp_output_done), we need to drop the skb when\nesp_output_tail_tcp returns an error."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/esp4.c", "net/ipv6/esp6.c"], "versions": [{"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "aca3ad0c262f54a5b5c95dda80a48365997d1224", "status": "affected", "versionType": "git"}, {"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "41aafca57de4a4c026701622bd4648f112a9edcd", "status": "affected", "versionType": "git"}, {"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "4820847e036ff1035b01b69ad68dfc17e7028fe9", "status": "affected", "versionType": "git"}, {"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "6a3ec6efbc4f90e0ccb2e71574f07351f19996f4", "status": "affected", "versionType": "git"}, {"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "df6f995358dc1f3c42484f5cfe241d7bd3e1cd15", "status": "affected", "versionType": "git"}, {"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "88d386243ed374ac969dabd3bbc1409a31d81818", "status": "affected", "versionType": "git"}, {"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "6aa9841d917532d0f2d932d1ff2f3a94305aaf47", "status": "affected", "versionType": "git"}, {"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/esp4.c", "net/ipv6/esp6.c"], "versions": [{"version": "5.6", "status": "affected"}, {"version": "0", "lessThan": "5.6", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/aca3ad0c262f54a5b5c95dda80a48365997d1224"}, {"url": "https://git.kernel.org/stable/c/41aafca57de4a4c026701622bd4648f112a9edcd"}, {"url": "https://git.kernel.org/stable/c/4820847e036ff1035b01b69ad68dfc17e7028fe9"}, {"url": "https://git.kernel.org/stable/c/6a3ec6efbc4f90e0ccb2e71574f07351f19996f4"}, {"url": "https://git.kernel.org/stable/c/df6f995358dc1f3c42484f5cfe241d7bd3e1cd15"}, {"url": "https://git.kernel.org/stable/c/88d386243ed374ac969dabd3bbc1409a31d81818"}, {"url": "https://git.kernel.org/stable/c/6aa9841d917532d0f2d932d1ff2f3a94305aaf47"}, {"url": "https://git.kernel.org/stable/c/0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2"}], "title": "esp: fix skb leak with espintcp and async crypto", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nesp: fix skb leak with espintcp and async crypto\n\nWhen the TX queue for espintcp is full, esp_output_tail_tcp will\nreturn an error and not free the skb, because with synchronous crypto,\nthe common xfrm output code will drop the packet for us.\n\nWith async crypto (esp_output_done), we need to drop the skb when\nesp_output_tail_tcp returns an error."}], "id": "CVE-2026-31518", "lastModified": "2026-04-22T14:16:51.410", "metrics": {}, "published": "2026-04-22T14:16:51.410", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/41aafca57de4a4c026701622bd4648f112a9edcd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4820847e036ff1035b01b69ad68dfc17e7028fe9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6a3ec6efbc4f90e0ccb2e71574f07351f19996f4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6aa9841d917532d0f2d932d1ff2f3a94305aaf47"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/88d386243ed374ac969dabd3bbc1409a31d81818"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/aca3ad0c262f54a5b5c95dda80a48365997d1224"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/df6f995358dc1f3c42484f5cfe241d7bd3e1cd15"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,aca3ad0c262f54a5b5c95dda80a48365997d1224)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,41aafca57de4a4c026701622bd4648f112a9edcd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,4820847e036ff1035b01b69ad68dfc17e7028fe9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,6a3ec6efbc4f90e0ccb2e71574f07351f19996f4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,df6f995358dc1f3c42484f5cfe241d7bd3e1cd15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,88d386243ed374ac969dabd3bbc1409a31d81818)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,6aa9841d917532d0f2d932d1ff2f3a94305aaf47)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.6"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.6)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.10.253,5.10.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.15.203,5.15.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.168,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.131,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.80,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.11,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.21,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.80,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.131,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.168,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.15.203,5.15.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.10.253,5.10.*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T18:37:33.724967+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the espintcp skb leak fix (e.g., apply the latest kernel patch series from the vendor).", "If immediate kernel upgrade is not possible, restrict or disable ESP over TCP traffic, or enforce strict rate limiting on incoming ESP packets.", "Monitor kernel memory consumption and the number of skbs in the network stack; investigate and alert if unexpected growth is observed."], "summary": {"action": "Apply patch", "impact": "Remote Denial of Service via Memory Leak"}, "threat_synthesis": {"affected_systems": "The flaw exists in the Linux kernel code that implements ESP over TCP. All distributions packaging unpatched Linux kernels are potentially affected; the precise version range is not specified in the advisory. Any system running the old kernel build that handles IPsec over TCP and uses asynchronous crypto code is susceptible. The vulnerability affects the kernel itself rather than user space applications.", "description_and_impact": "This bug involves the Linux kernel's ESP over TCP (espintcp) module. When the transmit queue reaches capacity, esp_output_tail_tcp returns an error but fails to free the associated socket buffer (skb). With synchronous crypto, a subsequent common xfrm output drop handles the cleanup, but with asynchronous crypto (esp_output_done) the skb is never freed. The resulting leak accumulates unreferenced skbs in memory. Over time, unbounded accumulation can exhaust kernel memory, destabilizing the system or allowing an attacker to trigger a denial\u2011of\u2011service by exhausting resources. The weakness maps to CWE\u2011459: Resource Leak.", "risk_and_exploitability": "Because EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, the attack surface is not known to be actively exploited. However, the bug can be triggered by sending a high volume of ESP\u2011encrypted TCP packets that fill the transmit queue. Thus remote attackers who can inject such traffic could drain memory resources over time. While no public exploit is demonstrated, the combination of a resource leak and potential for sustained traffic makes it a medium\u2011to\u2011high risk for vulnerable hosts. Administrators should treat this as a potential denial\u2011of\u2011service scenario until a patch is applied."}}}}, "created": "2026-04-22T18:30:23.553394+00:00", "updated": "2026-04-22T18:45:24.008336+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-459"]}