In the Linux kernel, the following vulnerability has been resolved:

xfrm6: fix uninitialized saddr in xfrm6_get_saddr()

xfrm6_get_saddr() does not check the return value of
ipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitable
source address (returns -EADDRNOTAVAIL), saddr->in6 is left
uninitialized, but xfrm6_get_saddr() still returns 0 (success).

This causes the caller xfrm_tmpl_resolve_one() to use the uninitialized
address in xfrm_state_find(), triggering KMSAN warning:

=====================================================
BUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940
xfrm_state_find+0x2424/0xa940
xfrm_resolve_and_create_bundle+0x906/0x5a20
xfrm_lookup_with_ifid+0xcc0/0x3770
xfrm_lookup_route+0x63/0x2b0
ip_route_output_flow+0x1ce/0x270
udp_sendmsg+0x2ce1/0x3400
inet_sendmsg+0x1ef/0x2a0
__sock_sendmsg+0x278/0x3d0
__sys_sendto+0x593/0x720
__x64_sys_sendto+0x130/0x200
x64_sys_call+0x332b/0x3e70
do_syscall_64+0xd3/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Local variable tmp.i.i created at:
xfrm_resolve_and_create_bundle+0x3e3/0x5a20
xfrm_lookup_with_ifid+0xcc0/0x3770
=====================================================

Fix by checking the return value of ipv6_dev_get_saddr() and propagating
the error.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Linux Linux unaffected
Version Status Constraints
a1e59abf824969554b90facd44a4ab16e265afa4 affected < 4f28141786e1fe884ce42a5197ba9beed540f0ea
a1e59abf824969554b90facd44a4ab16e265afa4 affected < 6535867673bf301d52aa00593a4d1d18cc3922fa
a1e59abf824969554b90facd44a4ab16e265afa4 affected < eb2ee15290af14c60b45cf2b73f5687d1d077d9b
a1e59abf824969554b90facd44a4ab16e265afa4 affected < 719918fc88df6da023dfff370cd965151a5afd7f
a1e59abf824969554b90facd44a4ab16e265afa4 affected < dc0abce055134cb83b0d981d31ceb20dda419787
a1e59abf824969554b90facd44a4ab16e265afa4 affected < c7221e7bd8fc2ef38a0b27be580d9d202281306b
a1e59abf824969554b90facd44a4ab16e265afa4 affected < 3dcd1664ac15eee6a690daec7c4ffc59190406f7
a1e59abf824969554b90facd44a4ab16e265afa4 affected < 1799d8abeabc68ec05679292aaf6cba93b343c05
Linux Linux affected
Version Status Constraints
2.6.19 affected
0 unaffected < 2.6.19
5.10.252 unaffected ≤ 5.10.*
5.15.202 unaffected ≤ 5.15.*
6.1.165 unaffected ≤ 6.1.*
6.6.128 unaffected ≤ 6.6.*
6.12.75 unaffected ≤ 6.12.*
6.18.16 unaffected ≤ 6.18.*
6.19.6 unaffected ≤ 6.19.*
7.0 unaffected ≤ *

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Linux Subscribe
Linux Kernel Subscribe

Project Subscriptions

Vendors Products
Linux Subscribe
Linux Kernel Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://git.kernel.org/stable/c/1799d8abeabc68ec05679292aaf6cba93b343c05 cve-icon cve-icon
https://git.kernel.org/stable/c/3dcd1664ac15eee6a690daec7c4ffc59190406f7 cve-icon cve-icon
https://git.kernel.org/stable/c/4f28141786e1fe884ce42a5197ba9beed540f0ea cve-icon cve-icon
https://git.kernel.org/stable/c/6535867673bf301d52aa00593a4d1d18cc3922fa cve-icon cve-icon
https://git.kernel.org/stable/c/719918fc88df6da023dfff370cd965151a5afd7f cve-icon cve-icon
https://git.kernel.org/stable/c/c7221e7bd8fc2ef38a0b27be580d9d202281306b cve-icon cve-icon
https://git.kernel.org/stable/c/dc0abce055134cb83b0d981d31ceb20dda419787 cve-icon cve-icon
https://git.kernel.org/stable/c/eb2ee15290af14c60b45cf2b73f5687d1d077d9b cve-icon cve-icon
History

Wed, 06 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-457

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm6: fix uninitialized saddr in xfrm6_get_saddr() xfrm6_get_saddr() does not check the return value of ipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitable source address (returns -EADDRNOTAVAIL), saddr->in6 is left uninitialized, but xfrm6_get_saddr() still returns 0 (success). This causes the caller xfrm_tmpl_resolve_one() to use the uninitialized address in xfrm_state_find(), triggering KMSAN warning: ===================================================== BUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940 xfrm_state_find+0x2424/0xa940 xfrm_resolve_and_create_bundle+0x906/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 xfrm_lookup_route+0x63/0x2b0 ip_route_output_flow+0x1ce/0x270 udp_sendmsg+0x2ce1/0x3400 inet_sendmsg+0x1ef/0x2a0 __sock_sendmsg+0x278/0x3d0 __sys_sendto+0x593/0x720 __x64_sys_sendto+0x130/0x200 x64_sys_call+0x332b/0x3e70 do_syscall_64+0xd3/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable tmp.i.i created at: xfrm_resolve_and_create_bundle+0x3e3/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 ===================================================== Fix by checking the return value of ipv6_dev_get_saddr() and propagating the error.
Title xfrm6: fix uninitialized saddr in xfrm6_get_saddr()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:27:24.898Z

Reserved: 2026-05-01T14:12:55.988Z

Link: CVE-2026-43139

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:31.227

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43139

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T17:00:05Z

Weaknesses