CVE-2026-43139
- Source
- https://cve.org/CVERecord?id=CVE-2026-43139
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43139.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-43139
- Downstream
- Published
- 2026-05-06T11:27:24.898Z
- Modified
- 2026-05-28T03:54:32.955980651Z
- Severity
-
- 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVSS Calculator
- Summary
- xfrm6: fix uninitialized saddr in xfrm6_get_saddr()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
xfrm6: fix uninitialized saddr in xfrm6getsaddr()
xfrm6getsaddr() does not check the return value of ipv6devgetsaddr(). When ipv6devgetsaddr() fails to find a suitable source address (returns -EADDRNOTAVAIL), saddr->in6 is left uninitialized, but xfrm6getsaddr() still returns 0 (success).
This causes the caller xfrmtmplresolveone() to use the uninitialized address in xfrmstate_find(), triggering KMSAN warning:
===================================================== BUG: KMSAN: uninit-value in xfrmstatefind+0x2424/0xa940 xfrmstatefind+0x2424/0xa940 xfrmresolveandcreatebundle+0x906/0x5a20 xfrmlookupwithifid+0xcc0/0x3770 xfrmlookuproute+0x63/0x2b0 iprouteoutputflow+0x1ce/0x270 udpsendmsg+0x2ce1/0x3400 inetsendmsg+0x1ef/0x2a0 __sock_sendmsg+0x278/0x3d0 __sys_sendto+0x593/0x720 __x64syssendto+0x130/0x200 x64syscall+0x332b/0x3e70 dosyscall64+0xd3/0xf80 entrySYSCALL64afterhwframe+0x77/0x7f
Local variable tmp.i.i created at: xfrmresolveandcreatebundle+0x3e3/0x5a20
xfrmlookupwith_ifid+0xcc0/0x3770
Fix by checking the return value of ipv6devget_saddr() and propagating the error.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43139.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/1799d8abeabc68ec05679292aaf6cba93b343c05
- https://git.kernel.org/stable/c/3dcd1664ac15eee6a690daec7c4ffc59190406f7
- https://git.kernel.org/stable/c/4f28141786e1fe884ce42a5197ba9beed540f0ea
- https://git.kernel.org/stable/c/6535867673bf301d52aa00593a4d1d18cc3922fa
- https://git.kernel.org/stable/c/719918fc88df6da023dfff370cd965151a5afd7f
- https://git.kernel.org/stable/c/c7221e7bd8fc2ef38a0b27be580d9d202281306b
- https://git.kernel.org/stable/c/dc0abce055134cb83b0d981d31ceb20dda419787
- https://git.kernel.org/stable/c/eb2ee15290af14c60b45cf2b73f5687d1d077d9b
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43139.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-43139
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda1e59abf824969554b90facd44a4ab16e265afa4Fixed4f28141786e1fe884ce42a5197ba9beed540f0eaFixed6535867673bf301d52aa00593a4d1d18cc3922faFixedeb2ee15290af14c60b45cf2b73f5687d1d077d9bFixed719918fc88df6da023dfff370cd965151a5afd7fFixeddc0abce055134cb83b0d981d31ceb20dda419787Fixedc7221e7bd8fc2ef38a0b27be580d9d202281306bFixed3dcd1664ac15eee6a690daec7c4ffc59190406f7Fixed1799d8abeabc68ec05679292aaf6cba93b343c05
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced2.6.19Fixed5.10.252
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.202
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.165
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.128
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.75
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.16
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed6.19.6