The skbs processed by ip_cmsg_recv are not guaranteed to be linear . Using csum_partial on potentially the whole skb len is dangerous; instead be on the safe side and use skb_checksum. This may lead to an infoleak as the kernel memory may be checksummed and sent as part of the packet. It was discovered that xfrm_replay_verify_len, as called by xfrm_new_ae, did not verify that the user-specified replay_window was within the replay state buffer. This allowed for out-of-bounds reads and writes of kernel memory.