{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "6c82d2433671819a550227bf65bfb6043e3d3305"
            },
            {
              "fixed": "de6d8e8ce5187f7402c9859b443355e7120c5f09"
            },
            {
              "fixed": "3db7d4f777a00164582061ccaa99569cd85011a3"
            },
            {
              "fixed": "0d10393d5eac33cbd92f7a41fddca12c41d3cb7e"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.14.0"
            },
            {
              "fixed": "6.18.21"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31472.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: validate inner IPv4 header length in IPTFS payload\n\nAdd validation of the inner IPv4 packet tot_len and ihl fields parsed\nfrom decrypted IPTFS payloads in __input_process_payload(). A crafted\nESP packet containing an inner IPv4 header with tot_len=0 causes an\ninfinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the\ndata offset never advances and the while(data \u003c tail) loop never\nterminates, spinning forever in softirq context.\n\nReject inner IPv4 packets where tot_len \u003c ihl*4 or ihl*4 \u003c sizeof(struct\niphdr), which catches both the tot_len=0 case and malformed ihl values.\nThe normal IP stack performs this validation in ip_rcv_core(), but IPTFS\nextracts and processes inner packets before they reach that layer.",
  "id": "CVE-2026-31472",
  "modified": "2026-07-08T05:37:27.709675175Z",
  "published": "2026-04-22T13:54:00.281Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0d10393d5eac33cbd92f7a41fddca12c41d3cb7e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3db7d4f777a00164582061ccaa99569cd85011a3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/de6d8e8ce5187f7402c9859b443355e7120c5f09"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31472.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31472"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "summary": "xfrm: iptfs: validate inner IPv4 header length in IPTFS payload"
}