Home

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm6: fix uninitialized saddr in xfrm6_get_saddr() xfrm6_get_saddr() does not check the return value of ipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitable source address (returns -EADDRNOTAVAIL), saddr->in6 is left uninitialized, but xfrm6_get_saddr() still returns 0 (success). This causes the caller xfrm_tmpl_resolve_one() to use the uninitialized address in xfrm_state_find(), triggering KMSAN warning: ===================================================== BUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940 xfrm_state_find+0x2424/0xa940 xfrm_resolve_and_create_bundle+0x906/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 xfrm_lookup_route+0x63/0x2b0 ip_route_output_flow+0x1ce/0x270 udp_sendmsg+0x2ce1/0x3400 inet_sendmsg+0x1ef/0x2a0 __sock_sendmsg+0x278/0x3d0 __sys_sendto+0x593/0x720 __x64_sys_sendto+0x130/0x200 x64_sys_call+0x332b/0x3e70 do_syscall_64+0xd3/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable tmp.i.i created at: xfrm_resolve_and_create_bundle+0x3e3/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 ===================================================== Fix by checking the return value of ipv6_dev_get_saddr() and propagating the error.

PUBLISHED Reserved 2026-05-01 | Published 2026-05-06 | Updated 2026-05-08 | Assigner Linux




HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Product status

Default status
unaffected

a1e59abf824969554b90facd44a4ab16e265afa4 (git) before 4f28141786e1fe884ce42a5197ba9beed540f0ea
affected

a1e59abf824969554b90facd44a4ab16e265afa4 (git) before 6535867673bf301d52aa00593a4d1d18cc3922fa
affected

a1e59abf824969554b90facd44a4ab16e265afa4 (git) before eb2ee15290af14c60b45cf2b73f5687d1d077d9b
affected

a1e59abf824969554b90facd44a4ab16e265afa4 (git) before 719918fc88df6da023dfff370cd965151a5afd7f
affected

a1e59abf824969554b90facd44a4ab16e265afa4 (git) before dc0abce055134cb83b0d981d31ceb20dda419787
affected

a1e59abf824969554b90facd44a4ab16e265afa4 (git) before c7221e7bd8fc2ef38a0b27be580d9d202281306b
affected

a1e59abf824969554b90facd44a4ab16e265afa4 (git) before 3dcd1664ac15eee6a690daec7c4ffc59190406f7
affected

a1e59abf824969554b90facd44a4ab16e265afa4 (git) before 1799d8abeabc68ec05679292aaf6cba93b343c05
affected

Default status
affected

2.6.19
affected

Any version before 2.6.19
unaffected

5.10.252 (semver)
unaffected

5.15.202 (semver)
unaffected

6.1.165 (semver)
unaffected

6.6.128 (semver)
unaffected

6.12.75 (semver)
unaffected

6.18.16 (semver)
unaffected

6.19.6 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/4f28141786e1fe884ce42a5197ba9beed540f0ea

git.kernel.org/...c/6535867673bf301d52aa00593a4d1d18cc3922fa

git.kernel.org/...c/eb2ee15290af14c60b45cf2b73f5687d1d077d9b

git.kernel.org/...c/719918fc88df6da023dfff370cd965151a5afd7f

git.kernel.org/...c/dc0abce055134cb83b0d981d31ceb20dda419787

git.kernel.org/...c/c7221e7bd8fc2ef38a0b27be580d9d202281306b

git.kernel.org/...c/3dcd1664ac15eee6a690daec7c4ffc59190406f7

git.kernel.org/...c/1799d8abeabc68ec05679292aaf6cba93b343c05

cve.org (CVE-2026-43139)

nvd.nist.gov (CVE-2026-43139)

Download JSON