{"api_version":"1","generated_at":"2026-04-23T12:00:22+00:00","cve":"CVE-2026-31472","urls":{"html":"https://cve.report/CVE-2026-31472","api":"https://cve.report/api/cve/CVE-2026-31472.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31472","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31472"},"summary":{"title":"xfrm: iptfs: validate inner IPv4 header length in IPTFS payload","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: validate inner IPv4 header length in IPTFS payload\n\nAdd validation of the inner IPv4 packet tot_len and ihl fields parsed\nfrom decrypted IPTFS payloads in __input_process_payload(). A crafted\nESP packet containing an inner IPv4 header with tot_len=0 causes an\ninfinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the\ndata offset never advances and the while(data < tail) loop never\nterminates, spinning forever in softirq context.\n\nReject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct\niphdr), which catches both the tot_len=0 case and malformed ihl values.\nThe normal IP stack performs this validation in ip_rcv_core(), but IPTFS\nextracts and processes inner packets before they reach that layer.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-22 14:16:43","updated_at":"2026-04-22 14:16:43"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/3db7d4f777a00164582061ccaa99569cd85011a3","name":"https://git.kernel.org/stable/c/3db7d4f777a00164582061ccaa99569cd85011a3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/de6d8e8ce5187f7402c9859b443355e7120c5f09","name":"https://git.kernel.org/stable/c/de6d8e8ce5187f7402c9859b443355e7120c5f09","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0d10393d5eac33cbd92f7a41fddca12c41d3cb7e","name":"https://git.kernel.org/stable/c/0d10393d5eac33cbd92f7a41fddca12c41d3cb7e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31472","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31472","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6c82d2433671819a550227bf65bfb6043e3d3305 de6d8e8ce5187f7402c9859b443355e7120c5f09 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6c82d2433671819a550227bf65bfb6043e3d3305 3db7d4f777a00164582061ccaa99569cd85011a3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6c82d2433671819a550227bf65bfb6043e3d3305 0d10393d5eac33cbd92f7a41fddca12c41d3cb7e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.14","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.14 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.21 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.11 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/xfrm/xfrm_iptfs.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"de6d8e8ce5187f7402c9859b443355e7120c5f09","status":"affected","version":"6c82d2433671819a550227bf65bfb6043e3d3305","versionType":"git"},{"lessThan":"3db7d4f777a00164582061ccaa99569cd85011a3","status":"affected","version":"6c82d2433671819a550227bf65bfb6043e3d3305","versionType":"git"},{"lessThan":"0d10393d5eac33cbd92f7a41fddca12c41d3cb7e","status":"affected","version":"6c82d2433671819a550227bf65bfb6043e3d3305","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/xfrm/xfrm_iptfs.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.14"},{"lessThan":"6.14","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.21","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.11","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.21","versionStartIncluding":"6.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.11","versionStartIncluding":"6.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.14","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: validate inner IPv4 header length in IPTFS payload\n\nAdd validation of the inner IPv4 packet tot_len and ihl fields parsed\nfrom decrypted IPTFS payloads in __input_process_payload(). A crafted\nESP packet containing an inner IPv4 header with tot_len=0 causes an\ninfinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the\ndata offset never advances and the while(data < tail) loop never\nterminates, spinning forever in softirq context.\n\nReject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct\niphdr), which catches both the tot_len=0 case and malformed ihl values.\nThe normal IP stack performs this validation in ip_rcv_core(), but IPTFS\nextracts and processes inner packets before they reach that layer."}],"providerMetadata":{"dateUpdated":"2026-04-22T13:54:00.281Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/de6d8e8ce5187f7402c9859b443355e7120c5f09"},{"url":"https://git.kernel.org/stable/c/3db7d4f777a00164582061ccaa99569cd85011a3"},{"url":"https://git.kernel.org/stable/c/0d10393d5eac33cbd92f7a41fddca12c41d3cb7e"}],"title":"xfrm: iptfs: validate inner IPv4 header length in IPTFS payload","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31472","datePublished":"2026-04-22T13:54:00.281Z","dateReserved":"2026-03-09T15:48:24.098Z","dateUpdated":"2026-04-22T13:54:00.281Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-22 14:16:43","lastModifiedDate":"2026-04-22 14:16:43","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31472","Ordinal":"1","Title":"xfrm: iptfs: validate inner IPv4 header length in IPTFS payload","CVE":"CVE-2026-31472","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31472","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: validate inner IPv4 header length in IPTFS payload\n\nAdd validation of the inner IPv4 packet tot_len and ihl fields parsed\nfrom decrypted IPTFS payloads in __input_process_payload(). A crafted\nESP packet containing an inner IPv4 header with tot_len=0 causes an\ninfinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the\ndata offset never advances and the while(data < tail) loop never\nterminates, spinning forever in softirq context.\n\nReject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct\niphdr), which catches both the tot_len=0 case and malformed ihl values.\nThe normal IP stack performs this validation in ip_rcv_core(), but IPTFS\nextracts and processes inner packets before they reach that layer.","Type":"Description","Title":"xfrm: iptfs: validate inner IPv4 header length in IPTFS payload"}]}}}