2460676 – (CVE-2026-31472) CVE-2026-31472 kernel: xfrm: iptfs: validate inner IPv4 header length in IPTFS payload

Bug 2460676 (CVE-2026-31472) - CVE-2026-31472 kernel: xfrm: iptfs: validate inner IPv4 header length in IPTFS payload

Summary: CVE-2026-31472 kernel: xfrm: iptfs: validate inner IPv4 header length in IPTF...

Keywords:
Status:	NEW
Alias:	CVE-2026-31472
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-22 15:04 UTC by OSIDB Bzimport
Modified:	2026-04-22 18:18 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-22 15:04:48 UTC

In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: validate inner IPv4 header length in IPTFS payload

Add validation of the inner IPv4 packet tot_len and ihl fields parsed
from decrypted IPTFS payloads in __input_process_payload(). A crafted
ESP packet containing an inner IPv4 header with tot_len=0 causes an
infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the
data offset never advances and the while(data < tail) loop never
terminates, spinning forever in softirq context.

Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct
iphdr), which catches both the tot_len=0 case and malformed ihl values.
The normal IP stack performs this validation in ip_rcv_core(), but IPTFS
extracts and processes inner packets before they reach that layer.

Comment 1 Keith Grant 2026-04-22 18:17:05 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042255-CVE-2026-31472-396d@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.