CVE Catalog

CVE-2026-31518

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

A vulnerability was found in the Linux kernel's ESP over TCP (espintcp) implementation with async crypto. When the transmit queue is full, esp_output_tail_tcp returns an error but does not free the skb buffer, causing a memory leak. With synchronous crypto, the issue does not occur because the xfrm code drops the packet automatically.

Risk Assessment

The skb buffer leak can lead to kernel memory exhaustion, resulting in a denial of service (DoS) for systems using ESP over TCP with asynchronous encryption.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit 6c0e8b0d8f8e or later). If an update is not possible, temporarily disable async crypto for ESP over TCP.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: esp: fix skb leak with espintcp and async crypto When the TX queue for espintcp is full, esp_output_tail_tcp will return an error and not free the skb, because with synchronous crypto, the common xfrm output code will drop the packet for us. With async crypto (esp_output_done), we need to drop the skb when esp_output_tail_tcp returns an error.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS