CVE-2026-43500
Modified Modified - Updated After Analysis
Linux Kernel rxrpc Packet Handling Memory Corruption

Publication date: 2026-05-11

Last updated on: 2026-06-14

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-06-14
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-43500
EUVD
EUVD-2026-29037
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.3
linux linux_kernel 5.3
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.3 (exc) to 6.18.29 (exc)
linux linux_kernel 5.3
linux linux_kernel From 6.19 (inc) to 7.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability could allow an attacker to exploit the way packet fragments are handled during decryption, potentially leading to unauthorized access or manipulation of data processed by the rxrpc protocol in the Linux kernel. It may enable a splice-loopback attack vector or other attacks involving shared fragment sources, which could compromise the integrity or confidentiality of network communications.

Executive Summary

This vulnerability exists in the Linux kernel's rxrpc component, specifically in how DATA and RESPONSE packets are handled when they contain paged fragments. The issue arises because the packet handlers only unshare (make a private copy of) the packet data when the packet is cloned, but not when the packet carries externally-owned paged fragments. This can lead to the packet being processed in-place, which improperly binds fragment pages directly into cryptographic operations, potentially exposing a splice-loopback vector and other shared fragment sources.

The fix extends the unsharing condition to also cover packets that have shared fragment lists or shared fragments, preventing unsafe in-place decryption and preserving security while maintaining performance optimizations for kernel-private fragments.

Compliance Impact

The provided information does not specify how CVE-2026-43500 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

Detection of this vulnerability involves identifying if the vulnerable RxRPC module is loaded and if the system is susceptible to the page-cache write flaw. Since the exploit contaminates the page cache, one indirect method is to monitor unusual page cache behavior or suspicious activity related to the RxRPC module.

A practical command to check if the vulnerable module is loaded is:

  • lsmod | grep rxrpc

Additionally, to check kernel version and determine if it falls within the vulnerable range (from 2023-06 commit 2dc334f1a63a onward), use:

  • uname -r

Since the exploit contaminates the page cache, monitoring or clearing the page cache can be part of detection and mitigation steps.

Note: There is no direct detection command provided for this vulnerability, but checking for loaded vulnerable modules and kernel versions is a starting point.

Mitigation Strategies

Immediate mitigation steps include disabling the vulnerable kernel modules and clearing the page cache to prevent exploitation.

  • Disable the vulnerable modules: esp4, esp6, and rxrpc.
  • Clear the page cache using the command: echo 3 > /proc/sys/vm/drop_caches

If possible, reboot the system after clearing the page cache to ensure a clean state.

Monitor your Linux distribution for official patches or backported fixes, as no official patches exist for most distributions at the time of disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart