HOMEVULNERABILITIESCVE-2026-31517
MEDIUM

CVE-2026-31517

Published: April 22, 2026· Updated: Apr 28, 2026

5.5
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:4.1th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly

In iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner

packet 'newskb' that is being reassembled. First a zero-copy approach is

tried if it succeeds then newskb becomes non-linear.

When a subsequent fragment in the same datagram does not meet the

fast-path conditions, a memory copy is performed. It calls skb_put() to

append the data and as newskb is non-linear it triggers

SKB_LINEAR_ASSERT check.

Oops: invalid opcode: 0000 [#1] SMP NOPTI

[...]

RIP: 0010:skb_put+0x3c/0x40

[...]

Call Trace:

<IRQ>

iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs]

iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs]

iptfs_input+0x122/0x3e0 [xfrm_iptfs]

xfrm_input+0x91e/0x1a50

xfrm4_esp_rcv+0x3a/0x110

ip_protocol_deliver_rcu+0x1d7/0x1f0

ip_local_deliver_finish+0xbe/0x1e0

__netif_receive_skb_core.constprop.0+0xb56/0x1120

__netif_receive_skb_list_core+0x133/0x2b0

netif_receive_skb_list_internal+0x1ff/0x3f0

napi_complete_done+0x81/0x220

virtnet_poll+0x9d6/0x116e [virtio_net]

__napi_poll.constprop.0+0x2b/0x270

net_rx_action+0x162/0x360

handle_softirqs+0xdc/0x510

__irq_exit_rcu+0xe7/0x110

irq_exit_rcu+0xe/0x20

common_interrupt+0x85/0xa0

</IRQ>

<TASK>

Fix this by checking if the skb is non-linear. If it is, linearize it by

calling skb_linearize(). As the initial allocation of newskb originally

reserved enough tailroom for the entire reassembled packet we do not

need to check if we have enough tailroom or extend it.

NVD Source

Technical Analysis

CVE-2026-31517 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 5.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 3 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (3)

Quick Facts

CVE IDCVE-2026-31517
CVSS Score5.5 / 10
SeverityMEDIUM
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedApr 22, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31517 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.