CVE-2026-43107 | THREATINT

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: account XFRMA_IF_ID in aevent size calculation xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is set. xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0) in xfrm_get_ae(), turning a malformed netlink interaction into a kernel panic. Account XFRMA_IF_ID in the size calculation unconditionally and replace the BUG_ON with normal error unwinding.

PUBLISHED Reserved 2026-05-01 | Published 2026-05-06 | Updated 2026-05-06 | Assigner Linux

Product status

Default status

unaffected

7e6526404adedf079279aa7aa11722deaca8fe2e (git) before 2c41283d94af943a05f7f2cc1a01f0c872f3cf43

affected

7e6526404adedf079279aa7aa11722deaca8fe2e (git) before e62e322ea20be78e346e4b49f9a6b9f03313af4c

affected

7e6526404adedf079279aa7aa11722deaca8fe2e (git) before 58e5735d1a5373652f405a0c16e54ac04aaab0ad

affected

7e6526404adedf079279aa7aa11722deaca8fe2e (git) before 7081d46d32312f1a31f0e0e99c6835a394037599

affected

Default status

affected

4.19

affected

Any version before 4.19

unaffected

6.12.83 (semver)

unaffected

6.18.24 (semver)

unaffected

6.19.14 (semver)

unaffected

7.0 (original_commit_for_fix)

unaffected

References

git.kernel.org/...c/2c41283d94af943a05f7f2cc1a01f0c872f3cf43

git.kernel.org/...c/e62e322ea20be78e346e4b49f9a6b9f03313af4c

git.kernel.org/...c/58e5735d1a5373652f405a0c16e54ac04aaab0ad

git.kernel.org/...c/7081d46d32312f1a31f0e0e99c6835a394037599

cve.org (CVE-2026-43107)

nvd.nist.gov (CVE-2026-43107)

Download JSON

help @ threatint.eu