In the Linux kernel, the following vulnerability has been resolved:
xfrm: iptfs: validate inner IPv4 header length in IPTFS payload
Add validation of the inner IPv4 packet tot_len and ihl fields parsed from decrypted IPTFS payloads in _inputprocesspayload(). A crafted ESP packet containing an inner IPv4 header with totlen=0 causes an infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the data offset never advances and the while(data < tail) loop never terminates, spinning forever in softirq context.
Reject inner IPv4 packets where totlen < ihl4 or ihl4 < sizeof(struct iphdr), which catches both the totlen=0 case and malformed ihl values. The normal IP stack performs this validation in iprcvcore(), but IPTFS extracts and processes inner packets before they reach that layer.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31472.json",
"cna_assigner": "Linux"
}