{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43090","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.984Z","datePublished":"2026-05-06T07:40:23.286Z","dateUpdated":"2026-05-11T22:17:32.208Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:17:32.208Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix refcount leak in xfrm_migrate_policy_find\n\nsyzkaller reported a memory leak in xfrm_policy_alloc:\n\n  BUG: memory leak\n  unreferenced object 0xffff888114d79000 (size 1024):\n    comm \"syz.1.17\", pid 931\n    ...\n    xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432\n\nThe root cause is a double call to xfrm_pol_hold_rcu() in\nxfrm_migrate_policy_find(). The lookup function already returns\na policy with held reference, making the second call redundant.\n\nRemove the redundant xfrm_pol_hold_rcu() call to fix the refcount\nimbalance and prevent the memory leak.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/xfrm/xfrm_policy.c"],"versions":[{"version":"563d5ca93e883b9dcb4b7dc8967ac569fd91820d","lessThan":"21e235a36cfb6d145cefb10728f12f5dc5412f54","status":"affected","versionType":"git"},{"version":"563d5ca93e883b9dcb4b7dc8967ac569fd91820d","lessThan":"836ee1b0426ea3db31531e9581cc32f513d24e32","status":"affected","versionType":"git"},{"version":"563d5ca93e883b9dcb4b7dc8967ac569fd91820d","lessThan":"70c2a89a3bc207c3bfbf6f21bb439809e0a4a27a","status":"affected","versionType":"git"},{"version":"563d5ca93e883b9dcb4b7dc8967ac569fd91820d","lessThan":"83317cce60a032c49480dcdabe146435bd689d03","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/xfrm/xfrm_policy.c"],"versions":[{"version":"6.12","status":"affected"},{"version":"0","lessThan":"6.12","status":"unaffected","versionType":"semver"},{"version":"6.12.83","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.24","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.14","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.83"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.18.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.19.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/21e235a36cfb6d145cefb10728f12f5dc5412f54"},{"url":"https://git.kernel.org/stable/c/836ee1b0426ea3db31531e9581cc32f513d24e32"},{"url":"https://git.kernel.org/stable/c/70c2a89a3bc207c3bfbf6f21bb439809e0a4a27a"},{"url":"https://git.kernel.org/stable/c/83317cce60a032c49480dcdabe146435bd689d03"}],"title":"xfrm: fix refcount leak in xfrm_migrate_policy_find","x_generator":{"engine":"bippy-1.2.0"}}}}