HIGH
xfrm IPTFS UAF
CVE-2026-31471
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: only publish mode_data after clone setup iptfs_clone_state() stores x->mode_data before allocating the reorder window. If that allocation fails, the code frees the cloned state and returns -ENOMEM, leaving x->mode_data pointing at freed memory. The xfrm clone unwind later runs destroy_state() through x->mode_data, so the failed clone path tears down IPTFS state that clone_state() already freed. Keep the cloned IPTFS state private until all allocations succeed so failed clones leave x->mode_data unset. The destroy path already handles a NULL mode_data pointer.
02KernelScan AI Analysis
Risk summary
Local attackers with low privileges can trigger a use-after-free vulnerability in the XFRM IPTFS subsystem during state cloning operations. This can lead to kernel memory corruption, privilege escalation, or system crashes when IPsec IPTFS tunnels are configured.
Vulnerability analysis
The vulnerability occurs in iptfs_clone_state() where x->mode_data is assigned to point to newly allocated IPTFS state before the reorder window allocation completes. If the reorder window allocation fails, the function frees the IPTFS state and returns -ENOMEM, but leaves x->mode_data pointing to the freed memory. Later, the xfrm clone unwind path calls destroy_state() through the dangling x->mode_data pointer, causing a use-after-free condition. The fix delays publishing x->mode_data until all allocations succeed, ensuring failed clones leave x->mode_data as NULL, which the destroy path already handles safely.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.21 | 371a43c4ac70 |
| 6.19 | 6.19.11 | 5784a1e2889c |
| mainline | 7.0 | d849a2f7309f |