CVE-2026-43039
Awaiting Analysis Awaiting Analysis - Queue
Heap Memory Leak in Linux Kernel ICSSG PRUETH Driver

Publication date: 2026-05-01

Last updated on: 2026-05-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RX dispatch emac_dispatch_skb_zc() allocates a new skb via napi_alloc_skb() but never copies the packet data from the XDP buffer into it. The skb is passed up the stack containing uninitialized heap memory instead of the actual received packet, leaking kernel heap contents to userspace. Copy the received packet data from the XDP buffer into the skb using skb_copy_to_linear_data(). Additionally, remove the skb_mark_for_recycle() call since the skb is backed by the NAPI page frag allocator, not page_pool. Marking a non-page_pool skb for recycle causes the free path to return pages to a page_pool that does not own them, corrupting page_pool state. The non-ZC path (emac_rx_packet) does not have these issues because it uses napi_build_skb() to wrap the existing page_pool page directly, requiring no copy, and correctly marks for recycle since the page comes from page_pool_dev_alloc_pages().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-03
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-43039
EUVD
EUVD-2026-26638
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's network driver code for the ti: icssg-prueth device. Specifically, the function emac_dispatch_skb_zc() allocates a new socket buffer (skb) but fails to copy the actual packet data from the XDP buffer into this skb. As a result, the skb contains uninitialized heap memory instead of the real packet data.

This means that when the skb is passed up the network stack, it can leak kernel heap contents to userspace, potentially exposing sensitive information.

Additionally, the code incorrectly calls skb_mark_for_recycle() on an skb that is backed by the NAPI page fragment allocator rather than the page_pool. This causes corruption in the page_pool state because pages are returned to a pool that does not own them.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability causes kernel heap memory to be leaked to userspace due to uninitialized data being passed instead of actual packet data.

Leaking kernel memory could potentially expose sensitive information, which may impact compliance with data protection regulations such as GDPR and HIPAA that require protection of personal and sensitive data.

However, the provided information does not explicitly state the impact on compliance with these standards.


How can this vulnerability impact me? :

The vulnerability can lead to leakage of kernel heap memory contents to userspace. This means that sensitive information stored in kernel memory could be exposed to unauthorized users or processes.

Furthermore, the incorrect recycling of skb buffers can corrupt kernel memory management structures, potentially leading to system instability or crashes.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by fixing the Linux kernel code in the net: ti: icssg-prueth driver.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix for this issue.

The fix involves copying the received packet data from the XDP buffer into the skb using skb_copy_to_linear_data(), and removing the incorrect skb_mark_for_recycle() call.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart