CVE-2026-31517

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly<br /> <br /> In iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner<br /> packet &amp;#39;newskb&amp;#39; that is being reassembled. First a zero-copy approach is<br /> tried if it succeeds then newskb becomes non-linear.<br /> <br /> When a subsequent fragment in the same datagram does not meet the<br /> fast-path conditions, a memory copy is performed. It calls skb_put() to<br /> append the data and as newskb is non-linear it triggers<br /> SKB_LINEAR_ASSERT check.<br /> <br /> Oops: invalid opcode: 0000 [#1] SMP NOPTI<br /> [...]<br /> RIP: 0010:skb_put+0x3c/0x40<br /> [...]<br /> Call Trace:<br /> <br /> iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs]<br /> iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs]<br /> iptfs_input+0x122/0x3e0 [xfrm_iptfs]<br /> xfrm_input+0x91e/0x1a50<br /> xfrm4_esp_rcv+0x3a/0x110<br /> ip_protocol_deliver_rcu+0x1d7/0x1f0<br /> ip_local_deliver_finish+0xbe/0x1e0<br /> __netif_receive_skb_core.constprop.0+0xb56/0x1120<br /> __netif_receive_skb_list_core+0x133/0x2b0<br /> netif_receive_skb_list_internal+0x1ff/0x3f0<br /> napi_complete_done+0x81/0x220<br /> virtnet_poll+0x9d6/0x116e [virtio_net]<br /> __napi_poll.constprop.0+0x2b/0x270<br /> net_rx_action+0x162/0x360<br /> handle_softirqs+0xdc/0x510<br /> __irq_exit_rcu+0xe7/0x110<br /> irq_exit_rcu+0xe/0x20<br /> common_interrupt+0x85/0xa0<br /> <br /> <br /> <br /> Fix this by checking if the skb is non-linear. If it is, linearize it by<br /> calling skb_linearize(). As the initial allocation of newskb originally<br /> reserved enough tailroom for the entire reassembled packet we do not<br /> need to check if we have enough tailroom or extend it.