{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31472", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.098Z", "datePublished": "2026-04-22T13:54:00.281Z", "dateUpdated": "2026-04-22T13:54:00.281Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:54:00.281Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: validate inner IPv4 header length in IPTFS payload\n\nAdd validation of the inner IPv4 packet tot_len and ihl fields parsed\nfrom decrypted IPTFS payloads in __input_process_payload(). A crafted\nESP packet containing an inner IPv4 header with tot_len=0 causes an\ninfinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the\ndata offset never advances and the while(data < tail) loop never\nterminates, spinning forever in softirq context.\n\nReject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct\niphdr), which catches both the tot_len=0 case and malformed ihl values.\nThe normal IP stack performs this validation in ip_rcv_core(), but IPTFS\nextracts and processes inner packets before they reach that layer."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xfrm/xfrm_iptfs.c"], "versions": [{"version": "6c82d2433671819a550227bf65bfb6043e3d3305", "lessThan": "de6d8e8ce5187f7402c9859b443355e7120c5f09", "status": "affected", "versionType": "git"}, {"version": "6c82d2433671819a550227bf65bfb6043e3d3305", "lessThan": "3db7d4f777a00164582061ccaa99569cd85011a3", "status": "affected", "versionType": "git"}, {"version": "6c82d2433671819a550227bf65bfb6043e3d3305", "lessThan": "0d10393d5eac33cbd92f7a41fddca12c41d3cb7e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xfrm/xfrm_iptfs.c"], "versions": [{"version": "6.14", "status": "affected"}, {"version": "0", "lessThan": "6.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/de6d8e8ce5187f7402c9859b443355e7120c5f09"}, {"url": "https://git.kernel.org/stable/c/3db7d4f777a00164582061ccaa99569cd85011a3"}, {"url": "https://git.kernel.org/stable/c/0d10393d5eac33cbd92f7a41fddca12c41d3cb7e"}], "title": "xfrm: iptfs: validate inner IPv4 header length in IPTFS payload", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: validate inner IPv4 header length in IPTFS payload\n\nAdd validation of the inner IPv4 packet tot_len and ihl fields parsed\nfrom decrypted IPTFS payloads in __input_process_payload(). A crafted\nESP packet containing an inner IPv4 header with tot_len=0 causes an\ninfinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the\ndata offset never advances and the while(data < tail) loop never\nterminates, spinning forever in softirq context.\n\nReject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct\niphdr), which catches both the tot_len=0 case and malformed ihl values.\nThe normal IP stack performs this validation in ip_rcv_core(), but IPTFS\nextracts and processes inner packets before they reach that layer."}], "id": "CVE-2026-31472", "lastModified": "2026-04-23T16:17:41.280", "metrics": {}, "published": "2026-04-22T14:16:43.740", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0d10393d5eac33cbd92f7a41fddca12c41d3cb7e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3db7d4f777a00164582061ccaa99569cd85011a3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/de6d8e8ce5187f7402c9859b443355e7120c5f09"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: xfrm: iptfs: validate inner IPv4 header length in IPTFS payload", "id": "2460676", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460676"}, "csaw": false, "cwe": "CWE-606", "details": ["A flaw was found in the Linux kernel, specifically within the xfrm and iptfs components. A remote attacker could exploit this vulnerability by sending a specially crafted Encapsulating Security Payload (ESP) packet. This packet, containing an inner IPv4 header with a total length (tot_len) of zero or malformed Internet Header Length (ihl) values, could trigger an infinite loop in the kernel's processing. This issue results in a Denial of Service (DoS), rendering the affected system unresponsive."], "name": "CVE-2026-31472", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31472\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31472\nhttps://lore.kernel.org/linux-cve-announce/2026042255-CVE-2026-31472-396d@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6c82d2433671819a550227bf65bfb6043e3d3305,de6d8e8ce5187f7402c9859b443355e7120c5f09)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6c82d2433671819a550227bf65bfb6043e3d3305,3db7d4f777a00164582061ccaa99569cd85011a3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6c82d2433671819a550227bf65bfb6043e3d3305,0d10393d5eac33cbd92f7a41fddca12c41d3cb7e)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.14"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.14)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T18:58:21.315309+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s kernel patch that introduces validation of the inner IPv4 header tot_len and ihl fields in __input_process_payload().", "If the patch cannot be applied immediately, block or drop suspicious ESP packets at the network perimeter using firewall rules or by disabling IPTFS if it is not required for your environment.", "After applying the patch, monitor system performance and softirq statistics for any residual abnormal behavior caused by packet processing loops."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Both Linux kernel distributions are affected, including all versions shipped by Linux:Linux until the patch that adds inner packet length validation is applied. No specific version list is supplied, so all kernels prior to the commit that introduced the validation of tot_len and ihl fields are vulnerable.", "description_and_impact": "The vulnerability resides in the Linux kernel\u2019s IPTFS payload handling. A crafted ESP packet carrying an inner IPv4 header with a total length of zero or malformed header length bypasses validation, causing an infinite loop in softirq context. This loop prevents the data offset from advancing, resulting in a never\u2011terminating while loop that consumes CPU time and stalls packet processing, effectively crashing or disabling the kernel\u2019s networking stack. The weakness is a missing input validation that leads to uncontrolled resource consumption.", "risk_and_exploitability": "The attack vector is network\u2011based; an adversary can send crafted ESP packets from outside or inside the network to trigger the infinite loop. EPSS data are not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, but the denial of service impact combined with the ability to trigger it remotely indicates a high risk. The lack of hardening in the kernel\u2019s packet processing path means the exploit requires no special privileges and can be executed from any source that can reach the vulnerable host."}}}}, "created": "2026-04-22T17:15:21.908428+00:00", "updated": "2026-04-22T19:00:08.096494+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-400"]}