Search for vulnerabilities
| Vulnerability ID | VCID-xkj5-rhsg-kfge |
| Aliases |
CVE-2026-31472
|
| Summary | In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: validate inner IPv4 header length in IPTFS payload Add validation of the inner IPv4 packet tot_len and ihl fields parsed from decrypted IPTFS payloads in __input_process_payload(). A crafted ESP packet containing an inner IPv4 header with tot_len=0 causes an infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the data offset never advances and the while(data < tail) loop never terminates, spinning forever in softirq context. Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct iphdr), which catches both the tot_len=0 case and malformed ihl values. The normal IP stack performs this validation in ip_rcv_core(), but IPTFS extracts and processes inner packets before they reach that layer. |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| epss | 0.00013 | https://api.first.org/data/v1/epss?cve=CVE-2026-31472 |
| epss | 0.00013 | https://api.first.org/data/v1/epss?cve=CVE-2026-31472 |
| epss | 0.00013 | https://api.first.org/data/v1/epss?cve=CVE-2026-31472 |
| epss | 0.00013 | https://api.first.org/data/v1/epss?cve=CVE-2026-31472 |
| epss | 0.00017 | https://api.first.org/data/v1/epss?cve=CVE-2026-31472 |
| epss | 0.00017 | https://api.first.org/data/v1/epss?cve=CVE-2026-31472 |
| Percentile | 0.02195 |
| EPSS Score | 0.00013 |
| Published At | April 29, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-04-23T05:41:01.291368+00:00 | Debian Importer | Import | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |