CVE-2026-31518
Description
In the Linux kernel, the following vulnerability has been resolved:
esp: fix skb leak with espintcp and async crypto
When the TX queue for espintcp is full, esp_output_tail_tcp will return an error and not free the skb, because with synchronous crypto, the common xfrm output code will drop the packet for us.
With async crypto (esp_output_done), we need to drop the skb when esp_output_tail_tcp returns an error.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in Linux kernel's ESP with TCP encapsulation and async crypto can be exploited to cause denial of service via resource exhaustion.
Vulnerability
In the Linux kernel, a memory leak (skb leak) exists in the ESP (Encapsulating Security Payload) implementation when using TCP encapsulation (espintcp) with asynchronous cryptographic operations. The root cause is that when the TX queue for espintcp is full, the function esp_output_tail_tcp returns an error without freeing the socket buffer (skb). In the synchronous crypto path, the common xfrm output code handles the drop, but in the asynchronous path (esp_output_done), the skb was not freed, leading to a memory leak.
Exploitation
The vulnerability can be triggered by sending ESP packets over TCP (espintcp) when the TX queue becomes full, which can occur under high network load or with specific traffic patterns. The attack requires the ability to send IPsec ESP packets that use TCP encapsulation and asynchronous crypto (e.g., hardware offload). No special privileges are needed beyond network access to send such packets.
Impact
An attacker could cause a kernel memory leak by repeatedly triggering the condition, potentially leading to resource exhaustion and denial of service (system hang or crash). The CVSS score is 5.5 (Medium), indicating a moderate severity.
Mitigation
The fix was applied in the Linux kernel stable tree via commits [1][2][3][4] (backports to various stable versions). Users should update their kernel to include the fix. No workaround is mentioned.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.6,<5.10.253
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2nvdPatch
- git.kernel.org/stable/c/41aafca57de4a4c026701622bd4648f112a9edcdnvdPatch
- git.kernel.org/stable/c/4820847e036ff1035b01b69ad68dfc17e7028fe9nvdPatch
- git.kernel.org/stable/c/6a3ec6efbc4f90e0ccb2e71574f07351f19996f4nvdPatch
- git.kernel.org/stable/c/6aa9841d917532d0f2d932d1ff2f3a94305aaf47nvdPatch
- git.kernel.org/stable/c/88d386243ed374ac969dabd3bbc1409a31d81818nvdPatch
- git.kernel.org/stable/c/aca3ad0c262f54a5b5c95dda80a48365997d1224nvdPatch
- git.kernel.org/stable/c/df6f995358dc1f3c42484f5cfe241d7bd3e1cd15nvdPatch
News mentions
0No linked articles in our index yet.