HOMEVULNERABILITIESCVE-2026-43167
NONE

CVE-2026-43167

Published: May 6, 2026· Updated: May 6, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.9th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: always flush state and policy upon NETDEV_UNREGISTER event

syzbot is reporting that "struct xfrm_state" refcount is leaking.

unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2

ref_tracker: netdev@ffff888052f24618 has 1/1 users at

__netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]

netdev_tracker_alloc include/linux/netdevice.h:4412 [inline]

xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316

xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline]

xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022

xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507

netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550

xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529

netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]

netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344

netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894

sock_sendmsg_nosec net/socket.c:727 [inline]

__sock_sendmsg net/socket.c:742 [inline]

____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592

___sys_sendmsg+0x134/0x1d0 net/socket.c:2646

__sys_sendmsg+0x16d/0x220 net/socket.c:2678

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]

do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94

entry_SYSCALL_64_after_hwframe+0x77/0x7f

This is because commit d77e38e612a0 ("xfrm: Add an IPsec hardware

offloading API") implemented xfrm_dev_unregister() as no-op despite

xfrm_dev_state_add() from xfrm_state_construct() acquires a reference

to "struct net_device".

I guess that that commit expected that NETDEV_DOWN event is fired before

NETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add()

is called only if (dev->features & NETIF_F_HW_ESP) != 0.

Sabrina Dubroca identified steps to reproduce the same symptoms as below.

echo 0 > /sys/bus/netdevsim/new_device

dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/)

ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \

spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128 \

offload crypto dev $dev dir out

ethtool -K $dev esp-hw-offload off

echo 0 > /sys/bus/netdevsim/del_device

Like these steps indicate, the NETIF_F_HW_ESP bit can be cleared after

xfrm_dev_state_add() acquired a reference to "struct net_device".

Also, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit

when acquiring a reference to "struct net_device".

Commit 03891f820c21 ("xfrm: handle NETDEV_UNREGISTER for xfrm device")

re-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that

commit for unknown reason chose to share xfrm_dev_down() between the

NETDEV_DOWN event and the NETDEV_UNREGISTER event.

I guess that that commit missed the behavior in the previous paragraph.

Therefore, we need to re-introduce xfrm_dev_unregister() in order to

release the reference to "struct net_device" by unconditionally flushing

state and policy.

NVD Source

Technical Analysis

CVE-2026-43167 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-43167
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 6, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43167 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.