In the Linux kernel, the following vulnerability has been resolved:
xfrm: iptfs: only publish mode_data after clone setup
iptfsclonestate() stores x->modedata before allocating the reorder window. If that allocation fails, the code frees the cloned state and returns -ENOMEM, leaving x->modedata pointing at freed memory.
The xfrm clone unwind later runs destroystate() through x->modedata, so the failed clone path tears down IPTFS state that clone_state() already freed.
Keep the cloned IPTFS state private until all allocations succeed so failed clones leave x->modedata unset. The destroy path already handles a NULL modedata pointer.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31471.json",
"cna_assigner": "Linux"
}