CVE-2026-43167
Description
In the Linux kernel, the following vulnerability has been resolved:
xfrm: always flush state and policy upon NETDEV_UNREGISTER event
syzbot is reporting that "struct xfrm_state" refcount is leaking.
unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2 ref_tracker: netdev@ffff888052f24618 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_tracker_alloc include/linux/netdevice.h:4412 [inline] xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316 xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline] xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022 xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550 xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646 __sys_sendmsg+0x16d/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
This is because commit d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") implemented xfrm_dev_unregister() as no-op despite xfrm_dev_state_add() from xfrm_state_construct() acquires a reference to "struct net_device". I guess that that commit expected that NETDEV_DOWN event is fired before NETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add() is called only if (dev->features & NETIF_F_HW_ESP) != 0.
Sabrina Dubroca identified steps to reproduce the same symptoms as below.
echo 0 > /sys/bus/netdevsim/new_device dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/) ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \ spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128 \ offload crypto dev $dev dir out ethtool -K $dev esp-hw-offload off echo 0 > /sys/bus/netdevsim/del_device
Like these steps indicate, the NETIF_F_HW_ESP bit can be cleared after xfrm_dev_state_add() acquired a reference to "struct net_device". Also, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit when acquiring a reference to "struct net_device".
Commit 03891f820c21 ("xfrm: handle NETDEV_UNREGISTER for xfrm device") re-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that commit for unknown reason chose to share xfrm_dev_down() between the NETDEV_DOWN event and the NETDEV_UNREGISTER event. I guess that that commit missed the behavior in the previous paragraph.
Therefore, we need to re-introduce xfrm_dev_unregister() in order to release the reference to "struct net_device" by unconditionally flushing state and policy.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reference leak in the Linux kernel's xfrm subsystem causes a net_device refcount imbalance, preventing device unregistration.
Vulnerability
Description
CVE-2026-43167 is a reference-count leak in the Linux kernel's IPsec (xfrm) subsystem. The bug occurs because the xfrm_dev_unregister() function, introduced by commit d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API"), was implemented as a no-op. However, xfrm_dev_state_add() (called from xfrm_state_construct()) acquires a reference to the struct net_device via netdev_tracker_alloc. When a network device is unregistered (NETDEV_UNREGISTER event), the xfrm state and policy are not flushed, leaving the device's reference count elevated and preventing the device from being freed [1][2].
Exploitation
Conditions
An attacker would need the ability to create xfrm states (requiring CAP_NET_ADMIN) and to trigger the unregistration of a network device that has IPsec offloading enabled. The syzbot reproducer uses a netdevsim device, but any device supporting hardware ESP offload (NETIF_F_HW_ESP) could be affected. The bug is triggered when a device is removed without first being taken down (NETDEV_DOWN), which the original code incorrectly assumed would always precede unregistration [3].
Impact
The primary impact is a denial-of-service condition: the kernel holds an extra reference on the network device, causing unregister_netdevice() to wait indefinitely ("waiting for netdevsim0 to become free. Usage count = 2"). This prevents the device from being removed and can lead to resource exhaustion if many such operations are performed. The bug does not directly allow code execution or privilege escalation [4].
Mitigation
The fix, committed in multiple stable kernel branches, modifies xfrm_dev_unregister() to properly flush all xfrm states and policies associated with the device when a NETDEV_UNREGISTER event is received. Users should apply the corresponding kernel patch from their distribution. No workaround is available other than avoiding the removal of the vulnerable code [1][2][3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/166801e49a5b5fc127b8c9e2f110f303cfddfbc3nvdPatch
- git.kernel.org/stable/c/4efa91a28576054aae0e6dad9cba8fed8293aef8nvdPatch
- git.kernel.org/stable/c/59581778792cbaf8ad788f4a21dc663ce986050envdPatch
- git.kernel.org/stable/c/8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4nvdPatch
- git.kernel.org/stable/c/a3c8fede034fa27892f87c863cbd5493167d17ednvdPatch
News mentions
0No linked articles in our index yet.