# CVE-2026-31472

> Vulnerability · severity: **MEDIUM** (CVSS 5.5).

## Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: iptfs: validate inner IPv4 header length in IPTFS payload

Add validation of the inner IPv4 packet tot_len and ihl fields parsed
from decrypted IPTFS payloads in __input_process_payload(). A crafted
ESP packet containing an inner IPv4 header with tot_len=0 causes an
infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the
data offset never advances and the while(data < tail) loop never
terminates, spinning forever in softirq context.

Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct
iphdr), which catches both the tot_len=0 case and malformed ihl values.
The normal IP stack performs this validation in ip_rcv_core(), but IPTFS
extracts and processes inner packets before they reach that layer.

## Key facts

- **CVE ID:** CVE-2026-31472
- **Published:** 2026-04-22
- **CVSS severity:** MEDIUM
- **CVSS base score:** 5.5
- **CWE codes:** CWE-835

## Affected products

- `linux:linux_kernel`

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31472

## Citation

> AI Analytics. CVE-2026-31472. Retrieved 2026-07-19 from https://api.ai-analytics.org/cve/CVE-2026-31472. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*