{"api_version":"1","generated_at":"2026-04-23T04:11:45+00:00","cve":"CVE-2026-31517","urls":{"html":"https://cve.report/CVE-2026-31517","api":"https://cve.report/api/cve/CVE-2026-31517.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31517","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31517"},"summary":{"title":"xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly\n\nIn iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner\npacket 'newskb' that is being reassembled. First a zero-copy approach is\ntried if it succeeds then newskb becomes non-linear.\n\nWhen a subsequent fragment in the same datagram does not meet the\nfast-path conditions, a memory copy is performed. It calls skb_put() to\nappend the data and as newskb is non-linear it triggers\nSKB_LINEAR_ASSERT check.\n\n Oops: invalid opcode: 0000 [#1] SMP NOPTI\n [...]\n RIP: 0010:skb_put+0x3c/0x40\n [...]\n Call Trace:\n  <IRQ>\n  iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs]\n  iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs]\n  iptfs_input+0x122/0x3e0 [xfrm_iptfs]\n  xfrm_input+0x91e/0x1a50\n  xfrm4_esp_rcv+0x3a/0x110\n  ip_protocol_deliver_rcu+0x1d7/0x1f0\n  ip_local_deliver_finish+0xbe/0x1e0\n  __netif_receive_skb_core.constprop.0+0xb56/0x1120\n  __netif_receive_skb_list_core+0x133/0x2b0\n  netif_receive_skb_list_internal+0x1ff/0x3f0\n  napi_complete_done+0x81/0x220\n  virtnet_poll+0x9d6/0x116e [virtio_net]\n  __napi_poll.constprop.0+0x2b/0x270\n  net_rx_action+0x162/0x360\n  handle_softirqs+0xdc/0x510\n  __irq_exit_rcu+0xe7/0x110\n  irq_exit_rcu+0xe/0x20\n  common_interrupt+0x85/0xa0\n  </IRQ>\n  <TASK>\n\nFix this by checking if the skb is non-linear. If it is, linearize it by\ncalling skb_linearize(). As the initial allocation of newskb originally\nreserved enough tailroom for the entire reassembled packet we do not\nneed to check if we have enough tailroom or extend it.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-22 14:16:51","updated_at":"2026-04-22 14:16:51"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/7fdfe8f6efeb0e1200e22a903f2471539f54522b","name":"https://git.kernel.org/stable/c/7fdfe8f6efeb0e1200e22a903f2471539f54522b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/33a7b36268933c75bdc355e5531951e0ea9f1951","name":"https://git.kernel.org/stable/c/33a7b36268933c75bdc355e5531951e0ea9f1951","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0b352f83cabfefdaafa806d6471f0eca117dc7d5","name":"https://git.kernel.org/stable/c/0b352f83cabfefdaafa806d6471f0eca117dc7d5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31517","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31517","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5f2b6a9095743a6bf1f34c43c4fe78fa8bdf5ad7 33a7b36268933c75bdc355e5531951e0ea9f1951 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5f2b6a9095743a6bf1f34c43c4fe78fa8bdf5ad7 7fdfe8f6efeb0e1200e22a903f2471539f54522b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5f2b6a9095743a6bf1f34c43c4fe78fa8bdf5ad7 0b352f83cabfefdaafa806d6471f0eca117dc7d5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.14","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.14 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.21 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.11 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/xfrm/xfrm_iptfs.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"33a7b36268933c75bdc355e5531951e0ea9f1951","status":"affected","version":"5f2b6a9095743a6bf1f34c43c4fe78fa8bdf5ad7","versionType":"git"},{"lessThan":"7fdfe8f6efeb0e1200e22a903f2471539f54522b","status":"affected","version":"5f2b6a9095743a6bf1f34c43c4fe78fa8bdf5ad7","versionType":"git"},{"lessThan":"0b352f83cabfefdaafa806d6471f0eca117dc7d5","status":"affected","version":"5f2b6a9095743a6bf1f34c43c4fe78fa8bdf5ad7","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/xfrm/xfrm_iptfs.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.14"},{"lessThan":"6.14","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.21","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.11","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.21","versionStartIncluding":"6.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.11","versionStartIncluding":"6.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.14","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly\n\nIn iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner\npacket 'newskb' that is being reassembled. First a zero-copy approach is\ntried if it succeeds then newskb becomes non-linear.\n\nWhen a subsequent fragment in the same datagram does not meet the\nfast-path conditions, a memory copy is performed. It calls skb_put() to\nappend the data and as newskb is non-linear it triggers\nSKB_LINEAR_ASSERT check.\n\n Oops: invalid opcode: 0000 [#1] SMP NOPTI\n [...]\n RIP: 0010:skb_put+0x3c/0x40\n [...]\n Call Trace:\n  <IRQ>\n  iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs]\n  iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs]\n  iptfs_input+0x122/0x3e0 [xfrm_iptfs]\n  xfrm_input+0x91e/0x1a50\n  xfrm4_esp_rcv+0x3a/0x110\n  ip_protocol_deliver_rcu+0x1d7/0x1f0\n  ip_local_deliver_finish+0xbe/0x1e0\n  __netif_receive_skb_core.constprop.0+0xb56/0x1120\n  __netif_receive_skb_list_core+0x133/0x2b0\n  netif_receive_skb_list_internal+0x1ff/0x3f0\n  napi_complete_done+0x81/0x220\n  virtnet_poll+0x9d6/0x116e [virtio_net]\n  __napi_poll.constprop.0+0x2b/0x270\n  net_rx_action+0x162/0x360\n  handle_softirqs+0xdc/0x510\n  __irq_exit_rcu+0xe7/0x110\n  irq_exit_rcu+0xe/0x20\n  common_interrupt+0x85/0xa0\n  </IRQ>\n  <TASK>\n\nFix this by checking if the skb is non-linear. If it is, linearize it by\ncalling skb_linearize(). As the initial allocation of newskb originally\nreserved enough tailroom for the entire reassembled packet we do not\nneed to check if we have enough tailroom or extend it."}],"providerMetadata":{"dateUpdated":"2026-04-22T13:54:33.522Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/33a7b36268933c75bdc355e5531951e0ea9f1951"},{"url":"https://git.kernel.org/stable/c/7fdfe8f6efeb0e1200e22a903f2471539f54522b"},{"url":"https://git.kernel.org/stable/c/0b352f83cabfefdaafa806d6471f0eca117dc7d5"}],"title":"xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31517","datePublished":"2026-04-22T13:54:33.522Z","dateReserved":"2026-03-09T15:48:24.108Z","dateUpdated":"2026-04-22T13:54:33.522Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-22 14:16:51","lastModifiedDate":"2026-04-22 14:16:51","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31517","Ordinal":"1","Title":"xfrm: iptfs: fix skb_put() panic on non-linear skb during reasse","CVE":"CVE-2026-31517","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31517","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly\n\nIn iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner\npacket 'newskb' that is being reassembled. First a zero-copy approach is\ntried if it succeeds then newskb becomes non-linear.\n\nWhen a subsequent fragment in the same datagram does not meet the\nfast-path conditions, a memory copy is performed. It calls skb_put() to\nappend the data and as newskb is non-linear it triggers\nSKB_LINEAR_ASSERT check.\n\n Oops: invalid opcode: 0000 [#1] SMP NOPTI\n [...]\n RIP: 0010:skb_put+0x3c/0x40\n [...]\n Call Trace:\n  <IRQ>\n  iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs]\n  iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs]\n  iptfs_input+0x122/0x3e0 [xfrm_iptfs]\n  xfrm_input+0x91e/0x1a50\n  xfrm4_esp_rcv+0x3a/0x110\n  ip_protocol_deliver_rcu+0x1d7/0x1f0\n  ip_local_deliver_finish+0xbe/0x1e0\n  __netif_receive_skb_core.constprop.0+0xb56/0x1120\n  __netif_receive_skb_list_core+0x133/0x2b0\n  netif_receive_skb_list_internal+0x1ff/0x3f0\n  napi_complete_done+0x81/0x220\n  virtnet_poll+0x9d6/0x116e [virtio_net]\n  __napi_poll.constprop.0+0x2b/0x270\n  net_rx_action+0x162/0x360\n  handle_softirqs+0xdc/0x510\n  __irq_exit_rcu+0xe7/0x110\n  irq_exit_rcu+0xe/0x20\n  common_interrupt+0x85/0xa0\n  </IRQ>\n  <TASK>\n\nFix this by checking if the skb is non-linear. If it is, linearize it by\ncalling skb_linearize(). As the initial allocation of newskb originally\nreserved enough tailroom for the entire reassembled packet we do not\nneed to check if we have enough tailroom or extend it.","Type":"Description","Title":"xfrm: iptfs: fix skb_put() panic on non-linear skb during reasse"}]}}}