CVE-2026-31515 Overview
CVE-2026-31515 is a buffer overflow vulnerability in the Linux kernel's af_key subsystem, specifically in the pfkey_send_migrate() function. The vulnerability was discovered through syzbot fuzzing, which identified that the function fails to properly validate old/new address families before processing IPsec migration requests. Additionally, the set_ipsecrequest() function's @family argument was truncated, leading to potential socket buffer (skb) overflow conditions.
When exploited, this vulnerability triggers a kernel panic via skb_over_panic() in the network core, causing a complete system crash. The issue stems from insufficient input validation in the PF_KEY socket interface, which is used for IPsec key management in Linux systems.
Critical Impact
This vulnerability allows local attackers to trigger a kernel panic through malformed IPsec migration requests, resulting in denial of service conditions on affected Linux systems.
Affected Products
- Linux kernel (multiple stable branches affected)
- Systems utilizing PF_KEY sockets for IPsec key management
- Linux-based network appliances and servers with IPsec/XFRM enabled
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-31515 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-31515
Vulnerability Analysis
The vulnerability exists within the pfkey_send_migrate() function located in net/key/af_key.c. This function is responsible for sending migration notifications through PF_KEY sockets when IPsec security associations are migrated between addresses. The core issue is a lack of validation for the address family parameters (old and new families) before they are used in subsequent operations.
The crash manifests as a buffer overflow in skb_put(), which is called when the socket buffer cannot accommodate the data being written. The kernel crash trace shows the overflow occurring at skb_put+0x159/0x210 in net/core/skbuff.c:2655, with the call originating from set_ipsecrequest within pfkey_send_migrate.
The crash dump indicates the skb was allocated with a tail offset of 0x188 but an end boundary of 0x180, demonstrating that the buffer was overfilled by 8 bytes due to the unvalidated family parameter causing incorrect size calculations.
Root Cause
The root cause is twofold: First, pfkey_send_migrate() does not validate the address families (IPv4/IPv6) of the old and new addresses before processing the migration request. Second, the @family argument passed to set_ipsecrequest() is truncated, which can lead to incorrect buffer size calculations and subsequent buffer overflow.
The fix implements early validation of address families before the data is processed by set_ipsecrequest(), preventing the truncation issue and ensuring that the socket buffer is properly sized for the actual data being written.
Attack Vector
An attacker with local access and the ability to create PF_KEY sockets can craft malicious IPsec migration requests with invalid or mismatched address family values. When these requests are processed through the XFRM subsystem via xfrm_do_migrate() → xfrm_migrate() → km_migrate() → pfkey_send_migrate(), the insufficient validation causes the kernel to write beyond the allocated buffer boundaries, triggering the skb_over_panic() BUG assertion and crashing the system.
The attack flow involves:
- Opening a PF_KEY socket (requires CAP_NET_ADMIN or root privileges)
- Sending a crafted XFRM migration message with invalid family parameters
- The kernel processes the request without proper validation
- Buffer overflow occurs in set_ipsecrequest() leading to kernel panic
Detection Methods for CVE-2026-31515
Indicators of Compromise
- Kernel panic messages containing skb_over_panic in system logs
- Crash traces showing pfkey_send_migrate or set_ipsecrequest in the call stack
- Unexpected system reboots on servers with active IPsec configurations
Detection Strategies
- Monitor kernel logs for BUG assertions in net/core/skbuff.c or net/key/af_key.c
- Implement kernel crash dump analysis to identify exploitation attempts
- Deploy auditd rules to monitor PF_KEY socket creation and XFRM operations
Monitoring Recommendations
- Enable kernel crash dump collection via kdump or similar mechanisms
- Monitor for unusual XFRM/IPsec migration activity patterns
- Set up alerts for kernel oops or BUG messages in dmesg output
How to Mitigate CVE-2026-31515
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- Restrict access to PF_KEY sockets by limiting CAP_NET_ADMIN capabilities
- Consider disabling IPsec migration if not required in your environment
Patch Information
The Linux kernel maintainers have released patches across multiple stable branches to address this vulnerability. The fix implements early validation of address families in pfkey_send_migrate() before data is processed by set_ipsecrequest().
Patches are available from the following kernel git commits:
- Kernel Git Commit 7b18692
- Kernel Git Commit 83f644e
- Kernel Git Commit 8ddf8de
- Kernel Git Commit d0c5aa8
- Kernel Git Commit d3225e6
- Kernel Git Commit e06b596
- Kernel Git Commit eb2d16a
- Kernel Git Commit ee836e8
Workarounds
- Disable IPsec/XFRM migration functionality if not operationally required
- Restrict PF_KEY socket access through SELinux or AppArmor policies
- Limit the assignment of CAP_NET_ADMIN capability to trusted processes only
# Restrict PF_KEY socket access via sysctl (if supported)
# Verify IPsec migration is required before disabling
sysctl -w net.core.xfrm_larval_drop=1
# Example: Audit PF_KEY socket operations
auditctl -a always,exit -F arch=b64 -S socket -F a0=15 -k pfkey_socket
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
