xfrm6: fix uninitialized saddr in xfrm6_get_saddr()_CVE-2026-43139

8.6 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm6: fix uninitialized saddr in xfrm6_get_saddr()

xfrm6_get_saddr() does not check the return value of
ipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitable
source address (returns -EADDRNOTAVAIL), saddr->in6 is left
uninitialized, but xfrm6_get_saddr() still returns 0 (success).

This causes the caller xfrm_tmpl_resolve_one() to use the uninitialized
address in xfrm_state_find(), triggering KMSAN warning:

=====================================================
BUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940
xfrm_state_find+0x2424/0xa940
xfrm_resolve_and_create_bundle+0x906/0x5a20
xfrm_lookup_with_ifid+0xcc0/0x3770
xfrm_lookup_route+0x63/0x2b0
ip_route_output_flow+0x1ce/0x270
udp_sendmsg+0x2ce1/0x3400
inet_sendmsg+0x1ef/0x2a0
__sock_sendmsg+0x278/0x3d0
__sys_sendto+0x593/0x720
__x64_sys_sendto+0x130/0x200
x64_sys_call+0x332b/0x3e70
do_syscall_64+0xd3/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Local variable tmp.i.i created at:
xfrm_resolve_and_create_bundle+0x3e3/0x5a20
xfrm_lookup_with_ifid+0xcc0/0x3770
=====================================================

Fix by checking the return value of ipv6_dev_get_saddr() and propagating
the error.

AI Analysis

AI processing failed - invalid JSON response

Basic Information

ID CVE-2026-43139

Source Linux

Published May 6, 2026 at 11:27

Modified May 8, 2026 at 12:40

Affected Product

Vendor Linux

Product Linux

Version a1e59abf824969554b90facd44a4ab16e265afa4

Affected Versions Linux Linux a1e59abf824969554b90facd44a4ab16e265afa4
Linux Linux a1e59abf824969554b90facd44a4ab16e265afa4
Linux Linux a1e59abf824969554b90facd44a4ab16e265afa4
Linux Linux a1e59abf824969554b90facd44a4ab16e265afa4
Linux Linux a1e59abf824969554b90facd44a4ab16e265afa4
Linux Linux a1e59abf824969554b90facd44a4ab16e265afa4
Linux Linux a1e59abf824969554b90facd44a4ab16e265afa4
Linux Linux a1e59abf824969554b90facd44a4ab16e265afa4
Linux Linux 2.6.19

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm6: fix uninitialized saddr in xfrm6_get_saddr()\n\nxfrm6_get_saddr() does not check the return value of\nipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitable\nsource address (returns -EADDRNOTAVAIL), saddr->in6 is left\nuninitialized, but xfrm6_get_saddr() still returns 0 (success).\n\nThis causes the caller xfrm_tmpl_resolve_one() to use the uninitialized\naddress in xfrm_state_find(), triggering KMSAN warning:\n\n=====================================================\nBUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940\n xfrm_state_find+0x2424/0xa940\n xfrm_resolve_and_create_bundle+0x906/0x5a20\n xfrm_lookup_with_ifid+0xcc0/0x3770\n xfrm_lookup_route+0x63/0x2b0\n ip_route_output_flow+0x1ce/0x270\n udp_sendmsg+0x2ce1/0x3400\n inet_sendmsg+0x1ef/0x2a0\n __sock_sendmsg+0x278/0x3d0\n __sys_sendto+0x593/0x720\n __x64_sys_sendto+0x130/0x200\n x64_sys_call+0x332b/0x3e70\n do_syscall_64+0xd3/0xf80\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable tmp.i.i created at:\n xfrm_resolve_and_create_bundle+0x3e3/0x5a20\n xfrm_lookup_with_ifid+0xcc0/0x3770\n=====================================================\n\nFix by checking the return value of ipv6_dev_get_saddr() and propagating\nthe error.",
    "published": "2026-05-06T11:27:24.898Z",
    "modified": "2026-05-08T12:40:50.383Z",
    "type": "cve",
    "title": "xfrm6: fix uninitialized saddr in xfrm6_get_saddr()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/4f28141786e1fe884ce42a5197ba9beed540f0ea\nhttps://git.kernel.org/stable/c/6535867673bf301d52aa00593a4d1d18cc3922fa\nhttps://git.kernel.org/stable/c/eb2ee15290af14c60b45cf2b73f5687d1d077d9b\nhttps://git.kernel.org/stable/c/719918fc88df6da023dfff370cd965151a5afd7f\nhttps://git.kernel.org/stable/c/dc0abce055134cb83b0d981d31ceb20dda419787\nhttps://git.kernel.org/stable/c/c7221e7bd8fc2ef38a0b27be580d9d202281306b\nhttps://git.kernel.org/stable/c/3dcd1664ac15eee6a690daec7c4ffc59190406f7\nhttps://git.kernel.org/stable/c/1799d8abeabc68ec05679292aaf6cba93b343c05",
    "id": "CVE-2026-43139",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux a1e59abf824969554b90facd44a4ab16e265afa4\nLinux Linux a1e59abf824969554b90facd44a4ab16e265afa4\nLinux Linux a1e59abf824969554b90facd44a4ab16e265afa4\nLinux Linux a1e59abf824969554b90facd44a4ab16e265afa4\nLinux Linux a1e59abf824969554b90facd44a4ab16e265afa4\nLinux Linux a1e59abf824969554b90facd44a4ab16e265afa4\nLinux Linux a1e59abf824969554b90facd44a4ab16e265afa4\nLinux Linux a1e59abf824969554b90facd44a4ab16e265afa4\nLinux Linux 2.6.19",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "a1e59abf824969554b90facd44a4ab16e265afa4",
    "vendor": "Linux",
    "ai_description": "AI processing failed - invalid JSON response",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}