CVE-2026-43500
Received Received - Intake
Linux Kernel rxrpc Packet Handling Memory Corruption

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-05-11
AI Q&A
2026-05-11
EPSS Evaluated
N/A
NVD
CVE-2026-43500
EUVD
EUVD-2026-29037
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability could allow an attacker to exploit the way packet fragments are handled during decryption, potentially leading to unauthorized access or manipulation of data processed by the rxrpc protocol in the Linux kernel. It may enable a splice-loopback attack vector or other attacks involving shared fragment sources, which could compromise the integrity or confidentiality of network communications.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's rxrpc component, specifically in how DATA and RESPONSE packets are handled when they contain paged fragments. The issue arises because the packet handlers only unshare (make a private copy of) the packet data when the packet is cloned, but not when the packet carries externally-owned paged fragments. This can lead to the packet being processed in-place, which improperly binds fragment pages directly into cryptographic operations, potentially exposing a splice-loopback vector and other shared fragment sources.

The fix extends the unsharing condition to also cover packets that have shared fragment lists or shared fragments, preventing unsafe in-place decryption and preserving security while maintaining performance optimizations for kernel-private fragments.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart