CVE-2026-43139

HIGH EPSS 29.4%
Published May 6, 20261mo ago · Modified Jun 17, 20261w ago
8.6 CVSS 3.1
High
Find Similar
Published May 6, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm6: fix uninitialized saddr in xfrm6_get_saddr() xfrm6_get_saddr() does not check the return value of ipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitable source address (returns -EADDRNOTAVAIL), saddr->in6 is left uninitialized, but xfrm6_get_saddr() still returns 0 (success). This causes the caller xfrm_tmpl_resolve_one() to use the uninitialized address in xfrm_state_find(), triggering KMSAN warning: ===================================================== BUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940 xfrm_state_find+0x2424/0xa940 xfrm_resolve_and_create_bundle+0x906/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 xfrm_lookup_route+0x63/0x2b0 ip_route_output_flow+0x1ce/0x270 udp_sendmsg+0x2ce1/0x3400 inet_sendmsg+0x1ef/0x2a0 __sock_sendmsg+0x278/0x3d0 __sys_sendto+0x593/0x720 __x64_sys_sendto+0x130/0x200 x64_sys_call+0x332b/0x3e70 do_syscall_64+0xd3/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable tmp.i.i created at: xfrm_resolve_and_create_bundle+0x3e3/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 ===================================================== Fix by checking the return value of ipv6_dev_get_saddr() and propagating the error.

CVSS Details

Base Score
8.6
Exploitability
3.9
Impact
4.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability High

Threat Intelligence

EPSS Exploit Probability
29.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-908

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel*≥2.6.19  –  <5.10.252
linuxlinux_kernel*≥5.11  –  <5.15.202
linuxlinux_kernel*≥5.16  –  <6.1.165
linuxlinux_kernel*≥6.2  –  <6.6.128
linuxlinux_kernel*≥6.7  –  <6.12.75
linuxlinux_kernel*≥6.13  –  <6.18.16
linuxlinux_kernel*≥6.19  –  <6.19.6
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/1799d8abeabc68ec05679292aaf6cba93b343c05
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3dcd1664ac15eee6a690daec7c4ffc59190406f7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4f28141786e1fe884ce42a5197ba9beed540f0ea
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6535867673bf301d52aa00593a4d1d18cc3922fa
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/719918fc88df6da023dfff370cd965151a5afd7f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c7221e7bd8fc2ef38a0b27be580d9d202281306b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dc0abce055134cb83b0d981d31ceb20dda419787
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/eb2ee15290af14c60b45cf2b73f5687d1d077d9b
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1799d8abeabc68ec05679292aaf6cba93b343c05
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3dcd1664ac15eee6a690daec7c4ffc59190406f7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4f28141786e1fe884ce42a5197ba9beed540f0ea
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6535867673bf301d52aa00593a4d1d18cc3922fa
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/719918fc88df6da023dfff370cd965151a5afd7f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c7221e7bd8fc2ef38a0b27be580d9d202281306b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dc0abce055134cb83b0d981d31ceb20dda419787
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/eb2ee15290af14c60b45cf2b73f5687d1d077d9b
    Patch