CVE-2026-43500

HIGH EPSS 99.8%
Published May 11, 20261mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published May 11, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
99.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 7

VendorProductVersionRange
linuxlinux_kernel*>5.3  –  <6.18.29
linuxlinux_kernel*≥6.19  –  <7.0.6
linuxlinux_kernel5.3any
linuxlinux_kernel5.3any
linuxlinux_kernel5.3any
linuxlinux_kernel7.1any
linuxlinux_kernel7.1any

References 6

  • git.kernel.org https://git.kernel.org/stable/c/3711382a77342a9a1c3d2e7330dcfc7ea927f568
  • git.kernel.org https://git.kernel.org/stable/c/3eae0f4f9f7206a4801efa5e0235c25bbd5a412c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7c504ffab3efce8f7e4f463b314ae31030bdf18b
  • git.kernel.org https://git.kernel.org/stable/c/aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d45179f8795222ce858770dc619abe51f9d24411
    Patch
  • github.com https://github.com/V4bel/dirtyfrag

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/3eae0f4f9f7206a4801efa5e0235c25bbd5a412c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d45179f8795222ce858770dc619abe51f9d24411
    Patch