CVE-2026-43284
Modified Modified - Updated After Analysis
Memory Corruption in Linux Kernel XFRM ESP

Publication date: 2026-05-08

Last updated on: 2026-05-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-26
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43284
EUVD
EUVD-2026-28535
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 4.11 (inc) to 5.10.255 (exc)
linux linux_kernel From 5.12 (inc) to 5.15.205 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.171 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.28 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.138 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.87 (exc)
linux linux_kernel From 7.0 (inc) to 7.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-123 Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the Linux kernel's handling of ESP (Encapsulating Security Payload) packets within UDP datagrams. Specifically, when pages from a pipe are attached directly to an skb (socket buffer) using MSG_SPLICE_PAGES, TCP marks these skbs with a flag (SKBFL_SHARED_FRAG) to indicate shared fragments, prompting a private copy before modification. However, the IPv4/IPv6 datagram append paths did not set this flag for UDP skbs, causing ESP-in-UDP packets made from shared pipe pages to be treated like ordinary uncloned nonlinear skbs.

As a result, ESP input decrypts data in place on skbs that do not own the data privately, potentially modifying shared data incorrectly. The fix involves marking IPv4/IPv6 datagram splice fragments with the SKBFL_SHARED_FRAG flag and making ESP input fall back to a safer method (skb_cow_data()) when this flag is present, preventing in-place decryption on shared fragments.

Impact Analysis

This vulnerability can lead to incorrect in-place decryption of shared packet data, which may cause data corruption or unexpected behavior in the processing of ESP-in-UDP packets. Since the data being decrypted is not privately owned by the socket buffer, modifying it in place could affect other processes or network operations relying on the same shared data.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by marking IPv4/IPv6 datagram splice fragments with SKBFL_SHARED_FRAG and making ESP input fall back to skb_cow_data() when this flag is present. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Compliance Impact

The provided information does not specify how CVE-2026-43284 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

Detection of CVE-2026-43284 involves identifying if your Linux kernel is vulnerable and checking for signs of exploitation related to the Dirty Frag vulnerability.

Since this vulnerability affects the Linux kernel's handling of ESP-in-UDP packets and shared skb fragments, direct network detection is complex and not straightforward from network traffic alone.

A practical approach includes:

  • Check your kernel version to see if it falls within the vulnerable range (from 2017-01-17 up to patched mainline kernels). Use the command: `uname -r`
  • Look for loaded vulnerable kernel modules related to the exploit such as `esp4`, `esp6`, and `rxrpc` using: `lsmod | grep -E 'esp4|esp6|rxrpc'`
  • Monitor system logs for unusual kernel messages or crashes that might indicate exploitation attempts.
  • If you suspect exploitation, clear the page cache to remove contamination caused by the exploit using: `echo 3 > /proc/sys/vm/drop_caches`

Currently, no direct network scanning commands or signatures are provided for detecting this vulnerability in network traffic.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43284. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart