CVE-2026-31518
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
A vulnerability was found in the Linux kernel's ESP over TCP (espintcp) implementation with async crypto. When the transmit queue is full, esp_output_tail_tcp returns an error but does not free the skb buffer, causing a memory leak. With synchronous crypto, the issue does not occur because the xfrm code drops the packet automatically.
Risk Assessment
The skb buffer leak can lead to kernel memory exhaustion, resulting in a denial of service (DoS) for systems using ESP over TCP with asynchronous encryption.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit 6c0e8b0d8f8e or later). If an update is not possible, temporarily disable async crypto for ESP over TCP.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: esp: fix skb leak with espintcp and async crypto When the TX queue for espintcp is full, esp_output_tail_tcp will return an error and not free the skb, because with synchronous crypto, the common xfrm output code will drop the packet for us. With async crypto (esp_output_done), we need to drop the skb when esp_output_tail_tcp returns an error.

