{"id":"CVE-2026-31471","summary":"xfrm: iptfs: only publish mode_data after clone setup","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: only publish mode_data after clone setup\n\niptfs_clone_state() stores x-\u003emode_data before allocating the reorder\nwindow. If that allocation fails, the code frees the cloned state and\nreturns -ENOMEM, leaving x-\u003emode_data pointing at freed memory.\n\nThe xfrm clone unwind later runs destroy_state() through x-\u003emode_data,\nso the failed clone path tears down IPTFS state that clone_state()\nalready freed.\n\nKeep the cloned IPTFS state private until all allocations succeed so\nfailed clones leave x-\u003emode_data unset. The destroy path already\nhandles a NULL mode_data pointer.","modified":"2026-07-08T07:22:38.638281337Z","published":"2026-04-22T13:53:59.595Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31471.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5784a1e2889c9525a8f036cb586930e232170bf7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d849a2f7309fc0616e79d13b008b0a47e0458b6e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31471.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31471"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6be02e3e4f376fea468846c8562655ca5ee18204"},{"fixed":"371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1"},{"fixed":"5784a1e2889c9525a8f036cb586930e232170bf7"},{"fixed":"d849a2f7309fc0616e79d13b008b0a47e0458b6e"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31471.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.14.0"},{"fixed":"6.18.21"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31471.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}