CVE-2026-43107

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the xfrm component where the xfrm get ae() function allocates a reply socket buffer (skb) using xfrm aevent msgsize(), but the build aevent() function may append additional attributes, such as XFRMA IF ID, when x->if id is set. Because xfrm aevent msgsize() fails to account for the space required by XFRMA IF ID, the process can fail with an -EMSGSIZE error. This triggers a BUG ON(err < 0) condition in xfrm get ae(), which can lead to a kernel panic resulting from a malformed netlink interaction.

Recommendations Update the kernel to a version where XFRMA IF ID is unconditionally included in the size calculation and the BUG ON macro is replaced with normal error unwinding.