{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31518", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.108Z", "datePublished": "2026-04-22T13:54:34.191Z", "dateUpdated": "2026-05-11T22:10:20.804Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:10:20.804Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nesp: fix skb leak with espintcp and async crypto\n\nWhen the TX queue for espintcp is full, esp_output_tail_tcp will\nreturn an error and not free the skb, because with synchronous crypto,\nthe common xfrm output code will drop the packet for us.\n\nWith async crypto (esp_output_done), we need to drop the skb when\nesp_output_tail_tcp returns an error."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/esp4.c", "net/ipv6/esp6.c"], "versions": [{"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "aca3ad0c262f54a5b5c95dda80a48365997d1224", "status": "affected", "versionType": "git"}, {"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "41aafca57de4a4c026701622bd4648f112a9edcd", "status": "affected", "versionType": "git"}, {"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "4820847e036ff1035b01b69ad68dfc17e7028fe9", "status": "affected", "versionType": "git"}, {"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "6a3ec6efbc4f90e0ccb2e71574f07351f19996f4", "status": "affected", "versionType": "git"}, {"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "df6f995358dc1f3c42484f5cfe241d7bd3e1cd15", "status": "affected", "versionType": "git"}, {"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "88d386243ed374ac969dabd3bbc1409a31d81818", "status": "affected", "versionType": "git"}, {"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "6aa9841d917532d0f2d932d1ff2f3a94305aaf47", "status": "affected", "versionType": "git"}, {"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "lessThan": "0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/esp4.c", "net/ipv6/esp6.c"], "versions": [{"version": "5.6", "status": "affected"}, {"version": "0", "lessThan": "5.6", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/aca3ad0c262f54a5b5c95dda80a48365997d1224"}, {"url": "https://git.kernel.org/stable/c/41aafca57de4a4c026701622bd4648f112a9edcd"}, {"url": "https://git.kernel.org/stable/c/4820847e036ff1035b01b69ad68dfc17e7028fe9"}, {"url": "https://git.kernel.org/stable/c/6a3ec6efbc4f90e0ccb2e71574f07351f19996f4"}, {"url": "https://git.kernel.org/stable/c/df6f995358dc1f3c42484f5cfe241d7bd3e1cd15"}, {"url": "https://git.kernel.org/stable/c/88d386243ed374ac969dabd3bbc1409a31d81818"}, {"url": "https://git.kernel.org/stable/c/6aa9841d917532d0f2d932d1ff2f3a94305aaf47"}, {"url": "https://git.kernel.org/stable/c/0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2"}], "title": "esp: fix skb leak with espintcp and async crypto", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A46EE847-2B8F-4145-AB46-8D057B48AFC9", "versionEndExcluding": "5.10.253", "versionStartIncluding": "5.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B", "versionEndExcluding": "6.1.168", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F", "versionEndExcluding": "6.6.131", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nesp: fix skb leak with espintcp and async crypto\n\nWhen the TX queue for espintcp is full, esp_output_tail_tcp will\nreturn an error and not free the skb, because with synchronous crypto,\nthe common xfrm output code will drop the packet for us.\n\nWith async crypto (esp_output_done), we need to drop the skb when\nesp_output_tail_tcp returns an error."}], "id": "CVE-2026-31518", "lastModified": "2026-04-28T17:25:54.393", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-22T14:16:51.410", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/41aafca57de4a4c026701622bd4648f112a9edcd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4820847e036ff1035b01b69ad68dfc17e7028fe9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6a3ec6efbc4f90e0ccb2e71574f07351f19996f4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6aa9841d917532d0f2d932d1ff2f3a94305aaf47"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/88d386243ed374ac969dabd3bbc1409a31d81818"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/aca3ad0c262f54a5b5c95dda80a48365997d1224"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/df6f995358dc1f3c42484f5cfe241d7bd3e1cd15"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: esp: fix skb leak with espintcp and async crypto", "id": "2460653", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460653"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["A flaw was found in the Linux kernel. When the espintcp component processes network traffic using asynchronous cryptography, a memory leak can occur. This happens because a socket buffer (skb) is not correctly released if the transmit queue becomes full. This continuous leak of memory can lead to resource exhaustion, potentially allowing a remote attacker to cause a Denial of Service (DoS) on the system."], "name": "CVE-2026-31518", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31518\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31518\nhttps://lore.kernel.org/linux-cve-announce/2026042211-CVE-2026-31518-ba84@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,aca3ad0c262f54a5b5c95dda80a48365997d1224)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,41aafca57de4a4c026701622bd4648f112a9edcd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,4820847e036ff1035b01b69ad68dfc17e7028fe9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,6a3ec6efbc4f90e0ccb2e71574f07351f19996f4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,df6f995358dc1f3c42484f5cfe241d7bd3e1cd15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,88d386243ed374ac969dabd3bbc1409a31d81818)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,6aa9841d917532d0f2d932d1ff2f3a94305aaf47)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e27cca96cd68fa2c6814c90f9a1cfd36bb68c593,0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.6"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.6)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.10.253,5.10.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.15.203,5.15.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.168,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.131,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.80,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.11,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.21,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.80,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.131,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.168,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.15.203,5.15.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.10.253,5.10.*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T02:23:01.493310+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the espintcp skb leak fix (e.g., apply the latest kernel patch series from the vendor).", "If immediate kernel upgrade is not possible, restrict or disable ESP over TCP traffic, or enforce strict rate limiting on incoming ESP packets.", "Monitor kernel memory consumption and the number of skbs in the network stack; investigate and alert if unexpected growth is observed."], "summary": {"action": "Apply Patch", "impact": "Remote Denial of Service via Memory Leak"}, "threat_synthesis": {"affected_systems": "Based on the description, the flaw exists in Linux kernel code that implements ESP over TCP. All Linux distributions packaging unpatched kernels are potentially affected; the advisory does not specify a precise kernel version range. Any system running the unpatched kernel build that handles IPsec over TCP and uses asynchronous crypto code is susceptible. The vulnerability affects the kernel itself rather than user\u2011space applications.", "description_and_impact": "Based on the description, this bug involves the Linux kernel's ESP over TCP (espintcp) module. When the transmit queue reaches capacity, esp_output_tail_tcp returns an error but fails to free the associated socket buffer (skb). With synchronous crypto, the subsequent common xfrm output drop handles the cleanup, but with asynchronous crypto (esp_output_done) the skb is never freed. The resulting leak accumulates unreferenced skbs in memory. Over time, unbounded accumulation can exhaust kernel memory, destabilizing the system. The weakness maps to CWE-401 (Memory Leak) and CWE-772. A remote attacker could trigger a denial\u2011of\u2011service by repeatedly sending ESP\u2011over\u2011TCP packets to fill the queue, causing the skb leak to accumulate and eventually exhaust kernel memory.", "risk_and_exploitability": "Because the EPSS score is < 1% and the CVE is not listed in the CISA KEV catalog, no large\u2011scale exploitation has been observed yet. The CVSS score of 5.5 indicates a medium severity. Based on the description, the attack vector is likely remote traffic targeting the ESP\u2011over\u2011TCP path, which can trigger the skb leak."}}}}, "created": "2026-04-22T18:30:23.553394+00:00", "updated": "2026-04-29T02:30:07.584757+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}