Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: only publish mode_data after clone setup iptfs_clone_state() stores x->mode_data before allocating the reorder window. If that allocation fails, the code frees the cloned state and returns -ENOMEM, leaving x->mode_data pointing at freed memory. The xfrm clone unwind later runs destroy_state() through x->mode_data, so the failed clone path tears down IPTFS state that clone_state() already freed. Keep the cloned IPTFS state private until all allocations succeed so failed clones leave x->mode_data unset. The destroy path already handles a NULL mode_data pointer.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 6.14, < 6.18.21 |
Related Weaknesses (CWE)
References
- https://git.kernel.org/stable/c/371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1Patch
- https://git.kernel.org/stable/c/5784a1e2889c9525a8f036cb586930e232170bf7Patch
- https://git.kernel.org/stable/c/d849a2f7309fc0616e79d13b008b0a47e0458b6ePatch
FAQ
What is CVE-2026-31471?
CVE-2026-31471 is a vulnerability with a CVSS score of 7.8 (HIGH). In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: only publish mode_data after clone setup iptfs_clone_state() stores x->mode_data before allocating the reorder window...
How severe is CVE-2026-31471?
CVE-2026-31471 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-31471?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel.