CVE-2026-43167 (GCVE-0-2026-43167)

Vulnerability from cvelistv5 – Published: 2026-05-06 11:27 – Updated: 2026-05-06 11:27
VLAI?
Title
xfrm: always flush state and policy upon NETDEV_UNREGISTER event
Summary
In the Linux kernel, the following vulnerability has been resolved: xfrm: always flush state and policy upon NETDEV_UNREGISTER event syzbot is reporting that "struct xfrm_state" refcount is leaking. unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2 ref_tracker: netdev@ffff888052f24618 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_tracker_alloc include/linux/netdevice.h:4412 [inline] xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316 xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline] xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022 xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550 xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646 __sys_sendmsg+0x16d/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This is because commit d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") implemented xfrm_dev_unregister() as no-op despite xfrm_dev_state_add() from xfrm_state_construct() acquires a reference to "struct net_device". I guess that that commit expected that NETDEV_DOWN event is fired before NETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add() is called only if (dev->features & NETIF_F_HW_ESP) != 0. Sabrina Dubroca identified steps to reproduce the same symptoms as below. echo 0 > /sys/bus/netdevsim/new_device dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/) ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \ spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128 \ offload crypto dev $dev dir out ethtool -K $dev esp-hw-offload off echo 0 > /sys/bus/netdevsim/del_device Like these steps indicate, the NETIF_F_HW_ESP bit can be cleared after xfrm_dev_state_add() acquired a reference to "struct net_device". Also, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit when acquiring a reference to "struct net_device". Commit 03891f820c21 ("xfrm: handle NETDEV_UNREGISTER for xfrm device") re-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that commit for unknown reason chose to share xfrm_dev_down() between the NETDEV_DOWN event and the NETDEV_UNREGISTER event. I guess that that commit missed the behavior in the previous paragraph. Therefore, we need to re-introduce xfrm_dev_unregister() in order to release the reference to "struct net_device" by unconditionally flushing state and policy.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: d77e38e612a017480157fe6d2c1422f42cb5b7e3 , < 166801e49a5b5fc127b8c9e2f110f303cfddfbc3 (git)
Affected: d77e38e612a017480157fe6d2c1422f42cb5b7e3 , < a3c8fede034fa27892f87c863cbd5493167d17ed (git)
Affected: d77e38e612a017480157fe6d2c1422f42cb5b7e3 , < 59581778792cbaf8ad788f4a21dc663ce986050e (git)
Affected: d77e38e612a017480157fe6d2c1422f42cb5b7e3 , < 8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4 (git)
Affected: d77e38e612a017480157fe6d2c1422f42cb5b7e3 , < 4efa91a28576054aae0e6dad9cba8fed8293aef8 (git)
Create a notification for this product.
    Linux Linux Affected: 4.12
Unaffected: 0 , < 4.12 (semver)
Unaffected: 6.6.128 , ≤ 6.6.* (semver)
Unaffected: 6.12.75 , ≤ 6.12.* (semver)
Unaffected: 6.18.16 , ≤ 6.18.* (semver)
Unaffected: 6.19.6 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/xfrm/xfrm_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "166801e49a5b5fc127b8c9e2f110f303cfddfbc3",
              "status": "affected",
              "version": "d77e38e612a017480157fe6d2c1422f42cb5b7e3",
              "versionType": "git"
            },
            {
              "lessThan": "a3c8fede034fa27892f87c863cbd5493167d17ed",
              "status": "affected",
              "version": "d77e38e612a017480157fe6d2c1422f42cb5b7e3",
              "versionType": "git"
            },
            {
              "lessThan": "59581778792cbaf8ad788f4a21dc663ce986050e",
              "status": "affected",
              "version": "d77e38e612a017480157fe6d2c1422f42cb5b7e3",
              "versionType": "git"
            },
            {
              "lessThan": "8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4",
              "status": "affected",
              "version": "d77e38e612a017480157fe6d2c1422f42cb5b7e3",
              "versionType": "git"
            },
            {
              "lessThan": "4efa91a28576054aae0e6dad9cba8fed8293aef8",
              "status": "affected",
              "version": "d77e38e612a017480157fe6d2c1422f42cb5b7e3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/xfrm/xfrm_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: always flush state and policy upon NETDEV_UNREGISTER event\n\nsyzbot is reporting that \"struct xfrm_state\" refcount is leaking.\n\n  unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2\n  ref_tracker: netdev@ffff888052f24618 has 1/1 users at\n       __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]\n       netdev_tracker_alloc include/linux/netdevice.h:4412 [inline]\n       xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316\n       xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline]\n       xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022\n       xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507\n       netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550\n       xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529\n       netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n       netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344\n       netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894\n       sock_sendmsg_nosec net/socket.c:727 [inline]\n       __sock_sendmsg net/socket.c:742 [inline]\n       ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592\n       ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646\n       __sys_sendmsg+0x16d/0x220 net/socket.c:2678\n       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n       do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n       entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis is because commit d77e38e612a0 (\"xfrm: Add an IPsec hardware\noffloading API\") implemented xfrm_dev_unregister() as no-op despite\nxfrm_dev_state_add() from xfrm_state_construct() acquires a reference\nto \"struct net_device\".\nI guess that that commit expected that NETDEV_DOWN event is fired before\nNETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add()\nis called only if (dev-\u003efeatures \u0026 NETIF_F_HW_ESP) != 0.\n\nSabrina Dubroca identified steps to reproduce the same symptoms as below.\n\n  echo 0 \u003e /sys/bus/netdevsim/new_device\n  dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/)\n  ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \\\n     spi 0x1000 mode tunnel aead \u0027rfc4106(gcm(aes))\u0027 $key 128   \\\n     offload crypto dev $dev dir out\n  ethtool -K $dev esp-hw-offload off\n  echo 0 \u003e /sys/bus/netdevsim/del_device\n\nLike these steps indicate, the NETIF_F_HW_ESP bit can be cleared after\nxfrm_dev_state_add() acquired a reference to \"struct net_device\".\nAlso, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit\nwhen acquiring a reference to \"struct net_device\".\n\nCommit 03891f820c21 (\"xfrm: handle NETDEV_UNREGISTER for xfrm device\")\nre-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that\ncommit for unknown reason chose to share xfrm_dev_down() between the\nNETDEV_DOWN event and the NETDEV_UNREGISTER event.\nI guess that that commit missed the behavior in the previous paragraph.\n\nTherefore, we need to re-introduce xfrm_dev_unregister() in order to\nrelease the reference to \"struct net_device\" by unconditionally flushing\nstate and policy."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-06T11:27:43.904Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/166801e49a5b5fc127b8c9e2f110f303cfddfbc3"
        },
        {
          "url": "https://git.kernel.org/stable/c/a3c8fede034fa27892f87c863cbd5493167d17ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/59581778792cbaf8ad788f4a21dc663ce986050e"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4"
        },
        {
          "url": "https://git.kernel.org/stable/c/4efa91a28576054aae0e6dad9cba8fed8293aef8"
        }
      ],
      "title": "xfrm: always flush state and policy upon NETDEV_UNREGISTER event",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43167",
    "datePublished": "2026-05-06T11:27:43.904Z",
    "dateReserved": "2026-05-01T14:12:55.990Z",
    "dateUpdated": "2026-05-06T11:27:43.904Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43167",
      "date": "2026-05-10",
      "epss": "0.00018",
      "percentile": "0.04933"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43167\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-06T12:16:34.913\",\"lastModified\":\"2026-05-06T13:07:51.607\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxfrm: always flush state and policy upon NETDEV_UNREGISTER event\\n\\nsyzbot is reporting that \\\"struct xfrm_state\\\" refcount is leaking.\\n\\n  unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2\\n  ref_tracker: netdev@ffff888052f24618 has 1/1 users at\\n       __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]\\n       netdev_tracker_alloc include/linux/netdevice.h:4412 [inline]\\n       xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316\\n       xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline]\\n       xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022\\n       xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507\\n       netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550\\n       xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529\\n       netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\\n       netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344\\n       netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894\\n       sock_sendmsg_nosec net/socket.c:727 [inline]\\n       __sock_sendmsg net/socket.c:742 [inline]\\n       ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592\\n       ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646\\n       __sys_sendmsg+0x16d/0x220 net/socket.c:2678\\n       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\\n       do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\\n       entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nThis is because commit d77e38e612a0 (\\\"xfrm: Add an IPsec hardware\\noffloading API\\\") implemented xfrm_dev_unregister() as no-op despite\\nxfrm_dev_state_add() from xfrm_state_construct() acquires a reference\\nto \\\"struct net_device\\\".\\nI guess that that commit expected that NETDEV_DOWN event is fired before\\nNETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add()\\nis called only if (dev-\u003efeatures \u0026 NETIF_F_HW_ESP) != 0.\\n\\nSabrina Dubroca identified steps to reproduce the same symptoms as below.\\n\\n  echo 0 \u003e /sys/bus/netdevsim/new_device\\n  dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/)\\n  ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \\\\\\n     spi 0x1000 mode tunnel aead \u0027rfc4106(gcm(aes))\u0027 $key 128   \\\\\\n     offload crypto dev $dev dir out\\n  ethtool -K $dev esp-hw-offload off\\n  echo 0 \u003e /sys/bus/netdevsim/del_device\\n\\nLike these steps indicate, the NETIF_F_HW_ESP bit can be cleared after\\nxfrm_dev_state_add() acquired a reference to \\\"struct net_device\\\".\\nAlso, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit\\nwhen acquiring a reference to \\\"struct net_device\\\".\\n\\nCommit 03891f820c21 (\\\"xfrm: handle NETDEV_UNREGISTER for xfrm device\\\")\\nre-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that\\ncommit for unknown reason chose to share xfrm_dev_down() between the\\nNETDEV_DOWN event and the NETDEV_UNREGISTER event.\\nI guess that that commit missed the behavior in the previous paragraph.\\n\\nTherefore, we need to re-introduce xfrm_dev_unregister() in order to\\nrelease the reference to \\\"struct net_device\\\" by unconditionally flushing\\nstate and policy.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/166801e49a5b5fc127b8c9e2f110f303cfddfbc3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4efa91a28576054aae0e6dad9cba8fed8293aef8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/59581778792cbaf8ad788f4a21dc663ce986050e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a3c8fede034fa27892f87c863cbd5493167d17ed\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.