VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Apr 22, 2026· Updated Apr 28, 2026

CVE-2026-31517

CVE-2026-31517

Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly

In iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner packet 'newskb' that is being reassembled. First a zero-copy approach is tried if it succeeds then newskb becomes non-linear.

When a subsequent fragment in the same datagram does not meet the fast-path conditions, a memory copy is performed. It calls skb_put() to append the data and as newskb is non-linear it triggers SKB_LINEAR_ASSERT check.

Oops: invalid opcode: 0000 [#1] SMP NOPTI [...] RIP: 0010:skb_put+0x3c/0x40 [...] Call Trace:

iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs] iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs] iptfs_input+0x122/0x3e0 [xfrm_iptfs] xfrm_input+0x91e/0x1a50 xfrm4_esp_rcv+0x3a/0x110 ip_protocol_deliver_rcu+0x1d7/0x1f0 ip_local_deliver_finish+0xbe/0x1e0 __netif_receive_skb_core.constprop.0+0xb56/0x1120 __netif_receive_skb_list_core+0x133/0x2b0 netif_receive_skb_list_internal+0x1ff/0x3f0 napi_complete_done+0x81/0x220 virtnet_poll+0x9d6/0x116e [virtio_net] __napi_poll.constprop.0+0x2b/0x270 net_rx_action+0x162/0x360 handle_softirqs+0xdc/0x510 __irq_exit_rcu+0xe7/0x110 irq_exit_rcu+0xe/0x20 common_interrupt+0x85/0xa0

Fix this by checking if the skb is non-linear. If it is, linearize it by calling skb_linearize(). As the initial allocation of newskb originally reserved enough tailroom for the entire reassembled packet we do not need to check if we have enough tailroom or extend it.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A kernel panic in xfrm IP-TFS reassembly occurs when skb_put() is called on a non-linear skb during fragment processing, leading to a system crash. The fix linearizes the skb when non-linear.

Vulnerability

CVE-2026-31517 is a denial-of-service vulnerability in the Linux kernel's IP-TFS (IPsec Traffic Flow Security) reassembly logic within the xfrm subsystem. The bug resides in iptfs_reassem_cont(), where the code attempts to append data to a reassembled skb using skb_put(). If a previous fragment was handled via a zero-copy fast path, the skb becomes non-linear. When a subsequent fragment requires a memory copy, the call to skb_put() triggers an SKB_LINEAR_ASSERT check, causing a kernel panic (Oops: invalid opcode) [1].

Exploitation

An attacker can trigger this vulnerability by sending a crafted sequence of IP-TFS fragments that cause the reassembly process to intermix zero-copy and copy operations. No authentication is required if the system processes IPsec traffic with IP-TFS enabled. The attack vector is network-based, and the attacker must be able to send malicious fragmented datagrams to the target. The bug is reachable from the network stack via iptfs_input_ordered and xfrm_input [2].

Impact

Exploitation results in a kernel panic, leading to a denial of service (system crash). The CVSS v3 base score is 5.5 (Medium), indicating a moderate impact with high availability impact but no confidentiality or integrity loss. The vulnerability can be used to crash the system, disrupting network services.

Mitigation

The fix, committed in the Linux kernel stable tree, adds a check for non-linear skbs in iptfs_reassem_cont(). If the skb is non-linear, it is linearized via skb_linearize() before calling skb_put() [3]. Users should apply the corresponding stable kernel updates to their systems. No workaround is available; the only mitigation is to apply the patch.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • Linux/Kernel9 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.14.1,<6.18.21
    • cpe:2.3:o:linux:linux_kernel:6.14:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.