VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 6, 2026· Updated May 19, 2026

CVE-2026-43090

CVE-2026-43090

Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: fix refcount leak in xfrm_migrate_policy_find

syzkaller reported a memory leak in xfrm_policy_alloc:

BUG: memory leak unreferenced object 0xffff888114d79000 (size 1024): comm "syz.1.17", pid 931 ... xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432

The root cause is a double call to xfrm_pol_hold_rcu() in xfrm_migrate_policy_find(). The lookup function already returns a policy with held reference, making the second call redundant.

Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount imbalance and prevent the memory leak.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A refcount leak in the Linux kernel's xfrm_migrate_policy_find() function allows local attackers to cause memory exhaustion and denial of service.

Vulnerability

Description

A refcount leak vulnerability exists in the Linux kernel's IPsec (xfrm) subsystem, specifically in the xfrm_migrate_policy_find() function. The root cause is a redundant call to xfrm_pol_hold_rcu() on a policy that already has a held reference from the lookup operation, leading to a double reference increment and a subsequent memory leak [1][2][3][4]. This was discovered by the Linux Verification Center using syzkaller.

Exploitation

The vulnerability can be triggered by a local attacker with the ability to perform IPsec migration operations, typically via netlink sockets. No special privileges beyond the ability to invoke the migration path are required. The attack surface is local, as the kernel function is invoked during policy migration.

Impact

An attacker can cause a persistent memory leak by repeatedly triggering the migration operation, leading to resource exhaustion and eventual denial of service. The leak was reported as a memory leak of 1024-byte objects, which can accumulate over time.

Mitigation

The fix removes the redundant xfrm_pol_hold_rcu() call. Patches have been applied to the Linux kernel stable branches (see commits [1][2][3][4]). Users should update to the latest kernel version to remediate this issue.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.