{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43139","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.988Z","datePublished":"2026-05-06T11:27:24.898Z","dateUpdated":"2026-05-11T22:18:30.795Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:18:30.795Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm6: fix uninitialized saddr in xfrm6_get_saddr()\n\nxfrm6_get_saddr() does not check the return value of\nipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitable\nsource address (returns -EADDRNOTAVAIL), saddr->in6 is left\nuninitialized, but xfrm6_get_saddr() still returns 0 (success).\n\nThis causes the caller xfrm_tmpl_resolve_one() to use the uninitialized\naddress in xfrm_state_find(), triggering KMSAN warning:\n\n=====================================================\nBUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940\n xfrm_state_find+0x2424/0xa940\n xfrm_resolve_and_create_bundle+0x906/0x5a20\n xfrm_lookup_with_ifid+0xcc0/0x3770\n xfrm_lookup_route+0x63/0x2b0\n ip_route_output_flow+0x1ce/0x270\n udp_sendmsg+0x2ce1/0x3400\n inet_sendmsg+0x1ef/0x2a0\n __sock_sendmsg+0x278/0x3d0\n __sys_sendto+0x593/0x720\n __x64_sys_sendto+0x130/0x200\n x64_sys_call+0x332b/0x3e70\n do_syscall_64+0xd3/0xf80\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable tmp.i.i created at:\n xfrm_resolve_and_create_bundle+0x3e3/0x5a20\n xfrm_lookup_with_ifid+0xcc0/0x3770\n=====================================================\n\nFix by checking the return value of ipv6_dev_get_saddr() and propagating\nthe error."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H","baseScore":8.6,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv6/xfrm6_policy.c"],"versions":[{"version":"a1e59abf824969554b90facd44a4ab16e265afa4","lessThan":"4f28141786e1fe884ce42a5197ba9beed540f0ea","status":"affected","versionType":"git"},{"version":"a1e59abf824969554b90facd44a4ab16e265afa4","lessThan":"6535867673bf301d52aa00593a4d1d18cc3922fa","status":"affected","versionType":"git"},{"version":"a1e59abf824969554b90facd44a4ab16e265afa4","lessThan":"eb2ee15290af14c60b45cf2b73f5687d1d077d9b","status":"affected","versionType":"git"},{"version":"a1e59abf824969554b90facd44a4ab16e265afa4","lessThan":"719918fc88df6da023dfff370cd965151a5afd7f","status":"affected","versionType":"git"},{"version":"a1e59abf824969554b90facd44a4ab16e265afa4","lessThan":"dc0abce055134cb83b0d981d31ceb20dda419787","status":"affected","versionType":"git"},{"version":"a1e59abf824969554b90facd44a4ab16e265afa4","lessThan":"c7221e7bd8fc2ef38a0b27be580d9d202281306b","status":"affected","versionType":"git"},{"version":"a1e59abf824969554b90facd44a4ab16e265afa4","lessThan":"3dcd1664ac15eee6a690daec7c4ffc59190406f7","status":"affected","versionType":"git"},{"version":"a1e59abf824969554b90facd44a4ab16e265afa4","lessThan":"1799d8abeabc68ec05679292aaf6cba93b343c05","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv6/xfrm6_policy.c"],"versions":[{"version":"2.6.19","status":"affected"},{"version":"0","lessThan":"2.6.19","status":"unaffected","versionType":"semver"},{"version":"5.10.252","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.202","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.165","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.128","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.75","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.16","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.6","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.19","versionEndExcluding":"5.10.252"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.19","versionEndExcluding":"5.15.202"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.19","versionEndExcluding":"6.1.165"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.19","versionEndExcluding":"6.6.128"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.19","versionEndExcluding":"6.12.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.19","versionEndExcluding":"6.18.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.19","versionEndExcluding":"6.19.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.19","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4f28141786e1fe884ce42a5197ba9beed540f0ea"},{"url":"https://git.kernel.org/stable/c/6535867673bf301d52aa00593a4d1d18cc3922fa"},{"url":"https://git.kernel.org/stable/c/eb2ee15290af14c60b45cf2b73f5687d1d077d9b"},{"url":"https://git.kernel.org/stable/c/719918fc88df6da023dfff370cd965151a5afd7f"},{"url":"https://git.kernel.org/stable/c/dc0abce055134cb83b0d981d31ceb20dda419787"},{"url":"https://git.kernel.org/stable/c/c7221e7bd8fc2ef38a0b27be580d9d202281306b"},{"url":"https://git.kernel.org/stable/c/3dcd1664ac15eee6a690daec7c4ffc59190406f7"},{"url":"https://git.kernel.org/stable/c/1799d8abeabc68ec05679292aaf6cba93b343c05"}],"title":"xfrm6: fix uninitialized saddr in xfrm6_get_saddr()","x_generator":{"engine":"bippy-1.2.0"}}}}