{"api_version":"1","generated_at":"2026-05-13T02:11:17+00:00","cve":"CVE-2026-43167","urls":{"html":"https://cve.report/CVE-2026-43167","api":"https://cve.report/api/cve/CVE-2026-43167.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43167","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43167"},"summary":{"title":"xfrm: always flush state and policy upon NETDEV_UNREGISTER event","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: always flush state and policy upon NETDEV_UNREGISTER event\n\nsyzbot is reporting that \"struct xfrm_state\" refcount is leaking.\n\n  unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2\n  ref_tracker: netdev@ffff888052f24618 has 1/1 users at\n       __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]\n       netdev_tracker_alloc include/linux/netdevice.h:4412 [inline]\n       xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316\n       xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline]\n       xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022\n       xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507\n       netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550\n       xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529\n       netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n       netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344\n       netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894\n       sock_sendmsg_nosec net/socket.c:727 [inline]\n       __sock_sendmsg net/socket.c:742 [inline]\n       ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592\n       ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646\n       __sys_sendmsg+0x16d/0x220 net/socket.c:2678\n       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n       do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n       entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis is because commit d77e38e612a0 (\"xfrm: Add an IPsec hardware\noffloading API\") implemented xfrm_dev_unregister() as no-op despite\nxfrm_dev_state_add() from xfrm_state_construct() acquires a reference\nto \"struct net_device\".\nI guess that that commit expected that NETDEV_DOWN event is fired before\nNETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add()\nis called only if (dev->features & NETIF_F_HW_ESP) != 0.\n\nSabrina Dubroca identified steps to reproduce the same symptoms as below.\n\n  echo 0 > /sys/bus/netdevsim/new_device\n  dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/)\n  ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \\\n     spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128   \\\n     offload crypto dev $dev dir out\n  ethtool -K $dev esp-hw-offload off\n  echo 0 > /sys/bus/netdevsim/del_device\n\nLike these steps indicate, the NETIF_F_HW_ESP bit can be cleared after\nxfrm_dev_state_add() acquired a reference to \"struct net_device\".\nAlso, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit\nwhen acquiring a reference to \"struct net_device\".\n\nCommit 03891f820c21 (\"xfrm: handle NETDEV_UNREGISTER for xfrm device\")\nre-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that\ncommit for unknown reason chose to share xfrm_dev_down() between the\nNETDEV_DOWN event and the NETDEV_UNREGISTER event.\nI guess that that commit missed the behavior in the previous paragraph.\n\nTherefore, we need to re-introduce xfrm_dev_unregister() in order to\nrelease the reference to \"struct net_device\" by unconditionally flushing\nstate and policy.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-06 12:16:34","updated_at":"2026-05-06 13:07:51"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/166801e49a5b5fc127b8c9e2f110f303cfddfbc3","name":"https://git.kernel.org/stable/c/166801e49a5b5fc127b8c9e2f110f303cfddfbc3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/4efa91a28576054aae0e6dad9cba8fed8293aef8","name":"https://git.kernel.org/stable/c/4efa91a28576054aae0e6dad9cba8fed8293aef8","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4","name":"https://git.kernel.org/stable/c/8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/59581778792cbaf8ad788f4a21dc663ce986050e","name":"https://git.kernel.org/stable/c/59581778792cbaf8ad788f4a21dc663ce986050e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a3c8fede034fa27892f87c863cbd5493167d17ed","name":"https://git.kernel.org/stable/c/a3c8fede034fa27892f87c863cbd5493167d17ed","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43167","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43167","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d77e38e612a017480157fe6d2c1422f42cb5b7e3 166801e49a5b5fc127b8c9e2f110f303cfddfbc3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d77e38e612a017480157fe6d2c1422f42cb5b7e3 a3c8fede034fa27892f87c863cbd5493167d17ed git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d77e38e612a017480157fe6d2c1422f42cb5b7e3 59581778792cbaf8ad788f4a21dc663ce986050e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d77e38e612a017480157fe6d2c1422f42cb5b7e3 8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d77e38e612a017480157fe6d2c1422f42cb5b7e3 4efa91a28576054aae0e6dad9cba8fed8293aef8 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.12","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.12 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.128 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.75 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.16 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.6 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/xfrm/xfrm_device.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"166801e49a5b5fc127b8c9e2f110f303cfddfbc3","status":"affected","version":"d77e38e612a017480157fe6d2c1422f42cb5b7e3","versionType":"git"},{"lessThan":"a3c8fede034fa27892f87c863cbd5493167d17ed","status":"affected","version":"d77e38e612a017480157fe6d2c1422f42cb5b7e3","versionType":"git"},{"lessThan":"59581778792cbaf8ad788f4a21dc663ce986050e","status":"affected","version":"d77e38e612a017480157fe6d2c1422f42cb5b7e3","versionType":"git"},{"lessThan":"8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4","status":"affected","version":"d77e38e612a017480157fe6d2c1422f42cb5b7e3","versionType":"git"},{"lessThan":"4efa91a28576054aae0e6dad9cba8fed8293aef8","status":"affected","version":"d77e38e612a017480157fe6d2c1422f42cb5b7e3","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/xfrm/xfrm_device.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"4.12"},{"lessThan":"4.12","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.128","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.75","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.16","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.6","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.128","versionStartIncluding":"4.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.75","versionStartIncluding":"4.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.16","versionStartIncluding":"4.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.6","versionStartIncluding":"4.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"4.12","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: always flush state and policy upon NETDEV_UNREGISTER event\n\nsyzbot is reporting that \"struct xfrm_state\" refcount is leaking.\n\n  unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2\n  ref_tracker: netdev@ffff888052f24618 has 1/1 users at\n       __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]\n       netdev_tracker_alloc include/linux/netdevice.h:4412 [inline]\n       xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316\n       xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline]\n       xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022\n       xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507\n       netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550\n       xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529\n       netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n       netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344\n       netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894\n       sock_sendmsg_nosec net/socket.c:727 [inline]\n       __sock_sendmsg net/socket.c:742 [inline]\n       ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592\n       ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646\n       __sys_sendmsg+0x16d/0x220 net/socket.c:2678\n       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n       do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n       entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis is because commit d77e38e612a0 (\"xfrm: Add an IPsec hardware\noffloading API\") implemented xfrm_dev_unregister() as no-op despite\nxfrm_dev_state_add() from xfrm_state_construct() acquires a reference\nto \"struct net_device\".\nI guess that that commit expected that NETDEV_DOWN event is fired before\nNETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add()\nis called only if (dev->features & NETIF_F_HW_ESP) != 0.\n\nSabrina Dubroca identified steps to reproduce the same symptoms as below.\n\n  echo 0 > /sys/bus/netdevsim/new_device\n  dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/)\n  ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \\\n     spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128   \\\n     offload crypto dev $dev dir out\n  ethtool -K $dev esp-hw-offload off\n  echo 0 > /sys/bus/netdevsim/del_device\n\nLike these steps indicate, the NETIF_F_HW_ESP bit can be cleared after\nxfrm_dev_state_add() acquired a reference to \"struct net_device\".\nAlso, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit\nwhen acquiring a reference to \"struct net_device\".\n\nCommit 03891f820c21 (\"xfrm: handle NETDEV_UNREGISTER for xfrm device\")\nre-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that\ncommit for unknown reason chose to share xfrm_dev_down() between the\nNETDEV_DOWN event and the NETDEV_UNREGISTER event.\nI guess that that commit missed the behavior in the previous paragraph.\n\nTherefore, we need to re-introduce xfrm_dev_unregister() in order to\nrelease the reference to \"struct net_device\" by unconditionally flushing\nstate and policy."}],"providerMetadata":{"dateUpdated":"2026-05-06T11:27:43.904Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/166801e49a5b5fc127b8c9e2f110f303cfddfbc3"},{"url":"https://git.kernel.org/stable/c/a3c8fede034fa27892f87c863cbd5493167d17ed"},{"url":"https://git.kernel.org/stable/c/59581778792cbaf8ad788f4a21dc663ce986050e"},{"url":"https://git.kernel.org/stable/c/8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4"},{"url":"https://git.kernel.org/stable/c/4efa91a28576054aae0e6dad9cba8fed8293aef8"}],"title":"xfrm: always flush state and policy upon NETDEV_UNREGISTER event","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43167","datePublished":"2026-05-06T11:27:43.904Z","dateReserved":"2026-05-01T14:12:55.990Z","dateUpdated":"2026-05-06T11:27:43.904Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-06 12:16:34","lastModifiedDate":"2026-05-06 13:07:51","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43167","Ordinal":"1","Title":"xfrm: always flush state and policy upon NETDEV_UNREGISTER event","CVE":"CVE-2026-43167","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43167","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: always flush state and policy upon NETDEV_UNREGISTER event\n\nsyzbot is reporting that \"struct xfrm_state\" refcount is leaking.\n\n  unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2\n  ref_tracker: netdev@ffff888052f24618 has 1/1 users at\n       __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]\n       netdev_tracker_alloc include/linux/netdevice.h:4412 [inline]\n       xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316\n       xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline]\n       xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022\n       xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507\n       netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550\n       xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529\n       netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n       netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344\n       netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894\n       sock_sendmsg_nosec net/socket.c:727 [inline]\n       __sock_sendmsg net/socket.c:742 [inline]\n       ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592\n       ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646\n       __sys_sendmsg+0x16d/0x220 net/socket.c:2678\n       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n       do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n       entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis is because commit d77e38e612a0 (\"xfrm: Add an IPsec hardware\noffloading API\") implemented xfrm_dev_unregister() as no-op despite\nxfrm_dev_state_add() from xfrm_state_construct() acquires a reference\nto \"struct net_device\".\nI guess that that commit expected that NETDEV_DOWN event is fired before\nNETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add()\nis called only if (dev->features & NETIF_F_HW_ESP) != 0.\n\nSabrina Dubroca identified steps to reproduce the same symptoms as below.\n\n  echo 0 > /sys/bus/netdevsim/new_device\n  dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/)\n  ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \\\n     spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128   \\\n     offload crypto dev $dev dir out\n  ethtool -K $dev esp-hw-offload off\n  echo 0 > /sys/bus/netdevsim/del_device\n\nLike these steps indicate, the NETIF_F_HW_ESP bit can be cleared after\nxfrm_dev_state_add() acquired a reference to \"struct net_device\".\nAlso, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit\nwhen acquiring a reference to \"struct net_device\".\n\nCommit 03891f820c21 (\"xfrm: handle NETDEV_UNREGISTER for xfrm device\")\nre-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that\ncommit for unknown reason chose to share xfrm_dev_down() between the\nNETDEV_DOWN event and the NETDEV_UNREGISTER event.\nI guess that that commit missed the behavior in the previous paragraph.\n\nTherefore, we need to re-introduce xfrm_dev_unregister() in order to\nrelease the reference to \"struct net_device\" by unconditionally flushing\nstate and policy.","Type":"Description","Title":"xfrm: always flush state and policy upon NETDEV_UNREGISTER event"}]}}}