Linux Kernel IPTFS mode_data dangling ptr in clone_state allocation failure
CVE-2026-31471 Published on April 22, 2026
xfrm: iptfs: only publish mode_data after clone setup
In the Linux kernel, the following vulnerability has been resolved:
xfrm: iptfs: only publish mode_data after clone setup
iptfs_clone_state() stores x->mode_data before allocating the reorder
window. If that allocation fails, the code frees the cloned state and
returns -ENOMEM, leaving x->mode_data pointing at freed memory.
The xfrm clone unwind later runs destroy_state() through x->mode_data,
so the failed clone path tears down IPTFS state that clone_state()
already freed.
Keep the cloned IPTFS state private until all allocations succeed so
failed clones leave x->mode_data unset. The destroy path already
handles a NULL mode_data pointer.
Products Associated with CVE-2026-31471
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 6be02e3e4f376fea468846c8562655ca5ee18204 and below 371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1 is affected.
- Version 6be02e3e4f376fea468846c8562655ca5ee18204 and below 5784a1e2889c9525a8f036cb586930e232170bf7 is affected.
- Version 6be02e3e4f376fea468846c8562655ca5ee18204 and below d849a2f7309fc0616e79d13b008b0a47e0458b6e is affected.
- Version 6.14 is affected.
- Before 6.14 is unaffected.
- Version 6.18.21, <= 6.18.* is unaffected.
- Version 6.19.11, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.