CVE-2026-43167

Published: Mag 06, 2026 Last Modified: Mag 06, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

xfrm: always flush state and policy upon NETDEV_UNREGISTER event

syzbot is reporting that 'struct xfrm_state' refcount is leaking.

unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2
ref_tracker: netdev@ffff888052f24618 has 1/1 users at
__netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]
netdev_tracker_alloc include/linux/netdevice.h:4412 [inline]
xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316
xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline]
xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022
xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507
netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550
xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592
___sys_sendmsg+0x134/0x1d0 net/socket.c:2646
__sys_sendmsg+0x16d/0x220 net/socket.c:2678
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

This is because commit d77e38e612a0 ('xfrm: Add an IPsec hardware
offloading API') implemented xfrm_dev_unregister() as no-op despite
xfrm_dev_state_add() from xfrm_state_construct() acquires a reference
to 'struct net_device'.
I guess that that commit expected that NETDEV_DOWN event is fired before
NETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add()
is called only if (dev->features & NETIF_F_HW_ESP) != 0.

Sabrina Dubroca identified steps to reproduce the same symptoms as below.

echo 0 > /sys/bus/netdevsim/new_device
dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/)
ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \
spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128 \
offload crypto dev $dev dir out
ethtool -K $dev esp-hw-offload off
echo 0 > /sys/bus/netdevsim/del_device

Like these steps indicate, the NETIF_F_HW_ESP bit can be cleared after
xfrm_dev_state_add() acquired a reference to 'struct net_device'.
Also, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit
when acquiring a reference to 'struct net_device'.

Commit 03891f820c21 ('xfrm: handle NETDEV_UNREGISTER for xfrm device')
re-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that
commit for unknown reason chose to share xfrm_dev_down() between the
NETDEV_DOWN event and the NETDEV_UNREGISTER event.
I guess that that commit missed the behavior in the previous paragraph.

Therefore, we need to re-introduce xfrm_dev_unregister() in order to
release the reference to 'struct net_device' by unconditionally flushing
state and policy.

https://git.kernel.org/stable/c/166801e49a5b5fc127b8c9e2f11…
https://git.kernel.org/stable/c/166801e49a5b5fc127b8c9e2f110f303cfddfbc3
https://git.kernel.org/stable/c/4efa91a28576054aae0e6dad9cb…
https://git.kernel.org/stable/c/4efa91a28576054aae0e6dad9cba8fed8293aef8
https://git.kernel.org/stable/c/59581778792cbaf8ad788f4a21d…
https://git.kernel.org/stable/c/59581778792cbaf8ad788f4a21dc663ce986050e
https://git.kernel.org/stable/c/8c75c455ecd3bfd2f36abf66edb…
https://git.kernel.org/stable/c/8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4
https://git.kernel.org/stable/c/a3c8fede034fa27892f87c863cb…
https://git.kernel.org/stable/c/a3c8fede034fa27892f87c863cbd5493167d17ed