HIGHCVE-2026-31471Published Modified CNA Linux
CVE-2026-31471: xfrm: iptfs: only publish mode_data after clone setup
In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: only publish mode_data after clone setup iptfs_clone_state() stores x->mode_data before allocating the reorder window. If that allocation fails, the code frees the cloned state and returns -ENOMEM, leaving x->mode_data pointing at freed memory. The xfrm clone unwind later runs destroy_state() through x->mode_data, so the failed clone path tears down IPTFS state that clone_state() already freed. Keep the cloned IPTFS state private until all allocations succeed so failed clones leave x->mode_data unset. The destroy path already handles a NULL mode_data pointer.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
0371a43c4ac70cac0de9f9b1fc5b1660b9565b9f15784a1e2889c9525a8f036cb586930e232170bf76.18.216.19.117.0d849a2f7309fc0616e79d13b008b0a47e0458b6e
Affected packages
- Linux / Linux< 371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1 (from 6be02e3e4f376fea468846c8562655ca5ee18204) · < 5784a1e2889c9525a8f036cb586930e232170bf7 (from 6be02e3e4f376fea468846c8562655ca5ee18204) · < d849a2f7309fc0616e79d13b008b0a47e0458b6e (from 6be02e3e4f376fea468846c8562655ca5ee18204)
- Linux / Linux6.14Fixed in 0, 6.18.21, 6.19.11, 7.0
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H