CVE-2026-43139

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm6: fix uninitialized saddr in xfrm6_get_saddr()<br /> <br /> xfrm6_get_saddr() does not check the return value of<br /> ipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitable<br /> source address (returns -EADDRNOTAVAIL), saddr-&gt;in6 is left<br /> uninitialized, but xfrm6_get_saddr() still returns 0 (success).<br /> <br /> This causes the caller xfrm_tmpl_resolve_one() to use the uninitialized<br /> address in xfrm_state_find(), triggering KMSAN warning:<br /> <br /> =====================================================<br /> BUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940<br /> xfrm_state_find+0x2424/0xa940<br /> xfrm_resolve_and_create_bundle+0x906/0x5a20<br /> xfrm_lookup_with_ifid+0xcc0/0x3770<br /> xfrm_lookup_route+0x63/0x2b0<br /> ip_route_output_flow+0x1ce/0x270<br /> udp_sendmsg+0x2ce1/0x3400<br /> inet_sendmsg+0x1ef/0x2a0<br /> __sock_sendmsg+0x278/0x3d0<br /> __sys_sendto+0x593/0x720<br /> __x64_sys_sendto+0x130/0x200<br /> x64_sys_call+0x332b/0x3e70<br /> do_syscall_64+0xd3/0xf80<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Local variable tmp.i.i created at:<br /> xfrm_resolve_and_create_bundle+0x3e3/0x5a20<br /> xfrm_lookup_with_ifid+0xcc0/0x3770<br /> =====================================================<br /> <br /> Fix by checking the return value of ipv6_dev_get_saddr() and propagating<br /> the error.