CVE-2026-43167 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/166801e49a5b5fc127b8c9e2f110f303cfddfbc3
https://git.kernel.org/stable/c/4efa91a28576054aae0e6dad9cba8fed8293aef8
https://git.kernel.org/stable/c/59581778792cbaf8ad788f4a21dc663ce986050e
https://git.kernel.org/stable/c/8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4
https://git.kernel.org/stable/c/a3c8fede034fa27892f87c863cbd5493167d17ed

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xfrm: always flush state and policy upon NETDEV_UNREGISTER event syzbot is reporting that "struct xfrm_state" refcount is leaking. unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2 ref_tracker: netdev@ffff888052f24618 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_tracker_alloc include/linux/netdevice.h:4412 [inline] xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316 xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline] xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022 xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550 xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646 __sys_sendmsg+0x16d/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This is because commit d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") implemented xfrm_dev_unregister() as no-op despite xfrm_dev_state_add() from xfrm_state_construct() acquires a reference to "struct net_device". I guess that that commit expected that NETDEV_DOWN event is fired before NETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add() is called only if (dev->features & NETIF_F_HW_ESP) != 0. Sabrina Dubroca identified steps to reproduce the same symptoms as below. echo 0 > /sys/bus/netdevsim/new_device dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/) ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \ spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128 \ offload crypto dev $dev dir out ethtool -K $dev esp-hw-offload off echo 0 > /sys/bus/netdevsim/del_device Like these steps indicate, the NETIF_F_HW_ESP bit can be cleared after xfrm_dev_state_add() acquired a reference to "struct net_device". Also, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit when acquiring a reference to "struct net_device". Commit 03891f820c21 ("xfrm: handle NETDEV_UNREGISTER for xfrm device") re-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that commit for unknown reason chose to share xfrm_dev_down() between the NETDEV_DOWN event and the NETDEV_UNREGISTER event. I guess that that commit missed the behavior in the previous paragraph. Therefore, we need to re-introduce xfrm_dev_unregister() in order to release the reference to "struct net_device" by unconditionally flushing state and policy.
Title		xfrm: always flush state and policy upon NETDEV_UNREGISTER event
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/166801e49a5b5fc127b8c9e2f110f303cfddfbc3 https://git.kernel.org/stable/c/4efa91a28576054aae0e6dad9cba8fed8293aef8 https://git.kernel.org/stable/c/59581778792cbaf8ad788f4a21dc663ce986050e https://git.kernel.org/stable/c/8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4 https://git.kernel.org/stable/c/a3c8fede034fa27892f87c863cbd5493167d17ed

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43167", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:55.990Z", "datePublished": "2026-05-06T11:27:43.904Z", "dateUpdated": "2026-05-06T11:27:43.904Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-06T11:27:43.904Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: always flush state and policy upon NETDEV_UNREGISTER event\n\nsyzbot is reporting that \"struct xfrm_state\" refcount is leaking.\n\n unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2\n ref_tracker: netdev@ffff888052f24618 has 1/1 users at\n __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]\n netdev_tracker_alloc include/linux/netdevice.h:4412 [inline]\n xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316\n xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline]\n xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022\n xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507\n netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550\n xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646\n __sys_sendmsg+0x16d/0x220 net/socket.c:2678\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis is because commit d77e38e612a0 (\"xfrm: Add an IPsec hardware\noffloading API\") implemented xfrm_dev_unregister() as no-op despite\nxfrm_dev_state_add() from xfrm_state_construct() acquires a reference\nto \"struct net_device\".\nI guess that that commit expected that NETDEV_DOWN event is fired before\nNETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add()\nis called only if (dev->features & NETIF_F_HW_ESP) != 0.\n\nSabrina Dubroca identified steps to reproduce the same symptoms as below.\n\n echo 0 > /sys/bus/netdevsim/new_device\n dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/)\n ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \\\n spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128 \\\n offload crypto dev $dev dir out\n ethtool -K $dev esp-hw-offload off\n echo 0 > /sys/bus/netdevsim/del_device\n\nLike these steps indicate, the NETIF_F_HW_ESP bit can be cleared after\nxfrm_dev_state_add() acquired a reference to \"struct net_device\".\nAlso, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit\nwhen acquiring a reference to \"struct net_device\".\n\nCommit 03891f820c21 (\"xfrm: handle NETDEV_UNREGISTER for xfrm device\")\nre-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that\ncommit for unknown reason chose to share xfrm_dev_down() between the\nNETDEV_DOWN event and the NETDEV_UNREGISTER event.\nI guess that that commit missed the behavior in the previous paragraph.\n\nTherefore, we need to re-introduce xfrm_dev_unregister() in order to\nrelease the reference to \"struct net_device\" by unconditionally flushing\nstate and policy."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xfrm/xfrm_device.c"], "versions": [{"version": "d77e38e612a017480157fe6d2c1422f42cb5b7e3", "lessThan": "166801e49a5b5fc127b8c9e2f110f303cfddfbc3", "status": "affected", "versionType": "git"}, {"version": "d77e38e612a017480157fe6d2c1422f42cb5b7e3", "lessThan": "a3c8fede034fa27892f87c863cbd5493167d17ed", "status": "affected", "versionType": "git"}, {"version": "d77e38e612a017480157fe6d2c1422f42cb5b7e3", "lessThan": "59581778792cbaf8ad788f4a21dc663ce986050e", "status": "affected", "versionType": "git"}, {"version": "d77e38e612a017480157fe6d2c1422f42cb5b7e3", "lessThan": "8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4", "status": "affected", "versionType": "git"}, {"version": "d77e38e612a017480157fe6d2c1422f42cb5b7e3", "lessThan": "4efa91a28576054aae0e6dad9cba8fed8293aef8", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xfrm/xfrm_device.c"], "versions": [{"version": "4.12", "status": "affected"}, {"version": "0", "lessThan": "4.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.128", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.16", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.6", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.6.128"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.18.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.19.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/166801e49a5b5fc127b8c9e2f110f303cfddfbc3"}, {"url": "https://git.kernel.org/stable/c/a3c8fede034fa27892f87c863cbd5493167d17ed"}, {"url": "https://git.kernel.org/stable/c/59581778792cbaf8ad788f4a21dc663ce986050e"}, {"url": "https://git.kernel.org/stable/c/8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4"}, {"url": "https://git.kernel.org/stable/c/4efa91a28576054aae0e6dad9cba8fed8293aef8"}], "title": "xfrm: always flush state and policy upon NETDEV_UNREGISTER event", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: always flush state and policy upon NETDEV_UNREGISTER event\n\nsyzbot is reporting that \"struct xfrm_state\" refcount is leaking.\n\n unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2\n ref_tracker: netdev@ffff888052f24618 has 1/1 users at\n __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]\n netdev_tracker_alloc include/linux/netdevice.h:4412 [inline]\n xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316\n xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline]\n xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022\n xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507\n netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550\n xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646\n __sys_sendmsg+0x16d/0x220 net/socket.c:2678\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis is because commit d77e38e612a0 (\"xfrm: Add an IPsec hardware\noffloading API\") implemented xfrm_dev_unregister() as no-op despite\nxfrm_dev_state_add() from xfrm_state_construct() acquires a reference\nto \"struct net_device\".\nI guess that that commit expected that NETDEV_DOWN event is fired before\nNETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add()\nis called only if (dev->features & NETIF_F_HW_ESP) != 0.\n\nSabrina Dubroca identified steps to reproduce the same symptoms as below.\n\n echo 0 > /sys/bus/netdevsim/new_device\n dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/)\n ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \\\n spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128 \\\n offload crypto dev $dev dir out\n ethtool -K $dev esp-hw-offload off\n echo 0 > /sys/bus/netdevsim/del_device\n\nLike these steps indicate, the NETIF_F_HW_ESP bit can be cleared after\nxfrm_dev_state_add() acquired a reference to \"struct net_device\".\nAlso, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit\nwhen acquiring a reference to \"struct net_device\".\n\nCommit 03891f820c21 (\"xfrm: handle NETDEV_UNREGISTER for xfrm device\")\nre-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that\ncommit for unknown reason chose to share xfrm_dev_down() between the\nNETDEV_DOWN event and the NETDEV_UNREGISTER event.\nI guess that that commit missed the behavior in the previous paragraph.\n\nTherefore, we need to re-introduce xfrm_dev_unregister() in order to\nrelease the reference to \"struct net_device\" by unconditionally flushing\nstate and policy."}], "id": "CVE-2026-43167", "lastModified": "2026-05-06T13:07:51.607", "metrics": {}, "published": "2026-05-06T12:16:34.913", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/166801e49a5b5fc127b8c9e2f110f303cfddfbc3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4efa91a28576054aae0e6dad9cba8fed8293aef8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/59581778792cbaf8ad788f4a21dc663ce986050e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a3c8fede034fa27892f87c863cbd5493167d17ed"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object