CVE-2026-31515

af_key: validate families in pfkey_send_migrate()

Assigner: Linux
Reserved: 09.03.2026 Published: 22.04.2026 Updated: 22.04.2026

In the Linux kernel, the following vulnerability has been resolved:

af_key: validate families in pfkey_send_migrate()

syzbot was able to trigger a crash in skb_put() [1]

Issue is that pfkey_send_migrate() does not check old/new families, and that set_ipsecrequest() @family argument was truncated, thus possibly overfilling the skb.

Validate families early, do not wait set_ipsecrequest().

[1]

skbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL> kernel BUG at net/core/skbuff.c:214 ! Call Trace: <TASK> skb_over_panic net/core/skbuff.c:219 [inline] skb_put+0x159/0x210 net/core/skbuff.c:2655 skb_put_zero include/linux/skbuff.h:2788 [inline] set_ipsecrequest net/key/af_key.c:3532 [inline] pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636 km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848 xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705 xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to d0c5aa8dd38887714f1aad04236a3620b56a5e4e (excl.) affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to e06b596fc4eb01936a2e5dccad17c946d660bab8 (excl.) affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to 8ddf8de7e758f6888988467af9ffc8adf589fb16 (excl.) affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to d3225e6b9bd51ec177970a628fe4b11237ce87d5 (excl.) affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to 7b18692c59afb8e5c364c8e3ac01e51dd6b52028 (excl.) affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to 83f644ea92987c100b82d8481ae2230faeed3d34 (excl.) affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to ee836e820a40e2ca4da8af7310bff92d586772d4 (excl.) affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to eb2d16a7d599dc9d4df391b5e660df9949963786 (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to d0c5aa8dd38887714f1aad04236a3620b56a5e4e (excl.)
affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to e06b596fc4eb01936a2e5dccad17c946d660bab8 (excl.)
affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to 8ddf8de7e758f6888988467af9ffc8adf589fb16 (excl.)
affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to d3225e6b9bd51ec177970a628fe4b11237ce87d5 (excl.)
affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to 7b18692c59afb8e5c364c8e3ac01e51dd6b52028 (excl.)
affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to 83f644ea92987c100b82d8481ae2230faeed3d34 (excl.)
affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to ee836e820a40e2ca4da8af7310bff92d586772d4 (excl.)
affected from 08de61beab8a21c8e0b3906a97defda5f1f66ece to eb2d16a7d599dc9d4df391b5e660df9949963786 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 2.6.21 is affected unaffected from 0 to 2.6.21 (excl.) unaffected from 5.10.253 to 5.10.* (incl.) unaffected from 5.15.203 to 5.15.* (incl.) unaffected from 6.1.168 to 6.1.* (incl.) unaffected from 6.6.131 to 6.6.* (incl.) unaffected from 6.12.80 to 6.12.* (incl.) unaffected from 6.18.21 to 6.18.* (incl.) unaffected from 6.19.11 to 6.19.* (incl.) unaffected from 7.0 to * (incl.)

Vendor

Linux

Product

Linux

Versions

Default: affected

Version 2.6.21 is affected
unaffected from 0 to 2.6.21 (excl.)
unaffected from 5.10.253 to 5.10.* (incl.)
unaffected from 5.15.203 to 5.15.* (incl.)
unaffected from 6.1.168 to 6.1.* (incl.)
unaffected from 6.6.131 to 6.6.* (incl.)
unaffected from 6.12.80 to 6.12.* (incl.)
unaffected from 6.18.21 to 6.18.* (incl.)
unaffected from 6.19.11 to 6.19.* (incl.)
unaffected from 7.0 to * (incl.)

References

CVE-2026-31515 PUBLISHED

af_key: validate families in pfkey_send_migrate()

Product Status

References