CVE-2026-43500
Linux Kernel rxrpc Packet Handling Memory Corruption
Publication date: 2026-05-11
Last updated on: 2026-05-17
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 5.3 |
| linux | linux_kernel | 5.3 |
| linux | linux_kernel | 7.1 |
| linux | linux_kernel | 7.1 |
| linux | linux_kernel | From 5.3 (exc) to 6.18.29 (exc) |
| linux | linux_kernel | 5.3 |
| linux | linux_kernel | From 6.19 (inc) to 7.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-43500 impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability could allow an attacker to exploit the way packet fragments are handled during decryption, potentially leading to unauthorized access or manipulation of data processed by the rxrpc protocol in the Linux kernel. It may enable a splice-loopback attack vector or other attacks involving shared fragment sources, which could compromise the integrity or confidentiality of network communications.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's rxrpc component, specifically in how DATA and RESPONSE packets are handled when they contain paged fragments. The issue arises because the packet handlers only unshare (make a private copy of) the packet data when the packet is cloned, but not when the packet carries externally-owned paged fragments. This can lead to the packet being processed in-place, which improperly binds fragment pages directly into cryptographic operations, potentially exposing a splice-loopback vector and other shared fragment sources.
The fix extends the unsharing condition to also cover packets that have shared fragment lists or shared fragments, preventing unsafe in-place decryption and preserving security while maintaining performance optimizations for kernel-private fragments.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the vulnerable RxRPC module is loaded and if the system is susceptible to the page-cache write flaw. Since the exploit contaminates the page cache, one indirect method is to monitor unusual page cache behavior or suspicious activity related to the RxRPC module.
A practical command to check if the vulnerable module is loaded is:
- lsmod | grep rxrpc
Additionally, to check kernel version and determine if it falls within the vulnerable range (from 2023-06 commit 2dc334f1a63a onward), use:
- uname -r
Since the exploit contaminates the page cache, monitoring or clearing the page cache can be part of detection and mitigation steps.
Note: There is no direct detection command provided for this vulnerability, but checking for loaded vulnerable modules and kernel versions is a starting point.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the vulnerable kernel modules and clearing the page cache to prevent exploitation.
- Disable the vulnerable modules: esp4, esp6, and rxrpc.
- Clear the page cache using the command: echo 3 > /proc/sys/vm/drop_caches
If possible, reboot the system after clearing the page cache to ensure a clean state.
Monitor your Linux distribution for official patches or backported fixes, as no official patches exist for most distributions at the time of disclosure.