CVE-2026-31518 Overview
A memory leak vulnerability has been identified in the Linux kernel's ESP (Encapsulating Security Payload) implementation, specifically affecting the espintcp subsystem when used with asynchronous cryptographic operations. When the TX queue for espintcp is full, the esp_output_tail_tcp function returns an error without properly freeing the socket buffer (skb). While synchronous crypto operations rely on the common xfrm output code to drop the packet, asynchronous crypto operations via esp_output_done fail to properly release the skb when esp_output_tail_tcp returns an error, leading to a kernel memory leak.
Critical Impact
Repeated triggering of this vulnerability can lead to kernel memory exhaustion, potentially causing system instability or denial of service on systems using IPsec with TCP encapsulation and async crypto.
Affected Products
- Linux Kernel (ESP/espintcp subsystem)
- Systems using IPsec with TCP encapsulation
- Systems utilizing asynchronous cryptographic operations for ESP
Discovery Timeline
- April 22, 2026 - CVE-2026-31518 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-31518
Vulnerability Analysis
This vulnerability occurs in the Linux kernel's ESP implementation within the IPsec networking stack. The issue manifests when handling ESP packets encapsulated in TCP (espintcp) in conjunction with asynchronous cryptographic processing. The root cause lies in inconsistent memory management between synchronous and asynchronous code paths.
In the synchronous crypto path, when esp_output_tail_tcp encounters a full TX queue and returns an error, the xfrm (transform) output layer correctly handles packet cleanup. However, the asynchronous path through esp_output_done lacks the corresponding cleanup logic, causing socket buffers to remain allocated when errors occur.
This memory leak can be exploited by an attacker who can influence network conditions to cause TX queue saturation, leading to progressive kernel memory consumption.
Root Cause
The vulnerability stems from an asymmetric handling of error conditions between synchronous and asynchronous cryptographic code paths in the ESP module. The esp_output_done callback, which handles completion of asynchronous crypto operations, does not properly free the skb (socket buffer) when esp_output_tail_tcp returns an error due to a full TX queue. This oversight creates a memory leak that accumulates over time.
Attack Vector
An attacker capable of causing TX queue congestion on systems using IPsec with TCP encapsulation and async crypto could trigger repeated skb leaks. This could be achieved through:
- Sending high volumes of traffic to saturate the TX queue
- Exploiting network conditions that delay packet transmission
- Targeting systems with limited TX queue capacity
Over time, the accumulated memory leaks could exhaust available kernel memory, leading to denial of service conditions.
The vulnerability exists in the kernel networking stack and requires network access to trigger the affected code path.
Detection Methods for CVE-2026-31518
Indicators of Compromise
- Gradual increase in kernel memory usage over time on systems running IPsec with espintcp
- System logs indicating memory allocation failures in networking subsystems
- Unexplained growth in slab memory allocations related to skb structures
Detection Strategies
- Monitor kernel memory statistics for abnormal growth patterns using tools like /proc/meminfo and /proc/slabinfo
- Implement alerting on systems where IPsec with TCP encapsulation is deployed when TX queue drops are detected
- Use kernel tracing tools (ftrace, bpftrace) to monitor esp_output_tail_tcp error returns in conjunction with async crypto completions
Monitoring Recommendations
- Enable and review kernel logging for ESP and xfrm subsystem warnings
- Deploy system monitoring to track kernel memory usage trends on affected systems
- Monitor network interface TX queue statistics for saturation events using ethtool -S or similar utilities
How to Mitigate CVE-2026-31518
Immediate Actions Required
- Apply the kernel patches from the official stable kernel branches as soon as possible
- If patching is not immediately possible, consider temporarily switching to synchronous crypto operations for IPsec if performance impact is acceptable
- Monitor affected systems closely for signs of memory exhaustion
Patch Information
Multiple patches have been committed to the Linux kernel stable branches to address this vulnerability. The fix ensures that esp_output_done properly frees the skb when esp_output_tail_tcp returns an error during asynchronous crypto operations. The relevant kernel commits are available from the official kernel git repository:
- Kernel Git Commit 0c0eef8
- Kernel Git Commit 41aafca
- Kernel Git Commit 4820847
- Kernel Git Commit 6a3ec6e
- Kernel Git Commit 6aa9841
- Kernel Git Commit 88d3862
- Kernel Git Commit aca3ad0
- Kernel Git Commit df6f995
Workarounds
- Consider temporarily disabling espintcp (ESP-in-TCP encapsulation) if not critical to operations, using standard ESP over UDP instead
- Increase TX queue sizes to reduce the likelihood of queue saturation triggering the vulnerable code path
- Implement rate limiting on IPsec traffic to prevent TX queue exhaustion
# Example: Increase TX queue length on the network interface
ip link set eth0 txqueuelen 10000
# Example: Monitor skb memory allocations
cat /proc/slabinfo | grep skb
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
