CVE-2026-43284

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-43284
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43284.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-43284
Downstream
Related
Published
2026-05-08T07:21:47.524Z
Modified
2026-05-20T18:29:07.513036877Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
xfrm: esp: avoid in-place decrypt on shared skb frags
Details

In the Linux kernel, the following vulnerability has been resolved:

xfrm: esp: avoid in-place decrypt on shared skb frags

MSGSPLICEPAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFLSHAREDFRAG after skbsplicefrom_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs.

That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb.

Mark IPv4/IPv6 datagram splice frags with SKBFLSHAREDFRAG, matching TCP. Also make ESP input fall back to skbcowdata() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path.

This intentionally does not change ESP output. In espoutputhead(), the path that appends the ESP trailer to existing skb tailroom without calling skbcowdata() is not reachable for nonlinear skbs: skbtailroom() returns zero when skb->datalen is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skbcowdata().

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43284.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cac2661c53f35cbe651bef9b07026a5a05ab8ce0
Fixed
a6cb440f274a22456ef3e86b457344f1678f38f9
Fixed
ab8b995323e5237041472d07e5055f5f7dcdf15b
Fixed
fe785bb3a8096dffcc4048a85cd0c83337eeecad
Fixed
5d55c7336f8032d434adcc5fab987ccc93a44aec
Fixed
8253aab4659ca16116b522203c2a6b18dccacea7
Fixed
50ed1e7873100f77abad20fd31c51029bc49cd03
Fixed
b54edf1e9a3fd3491bdcb82a21f8d21315271e0d
Fixed
71a1d9d985d26716f74d21f18ee8cac821b06e97
Fixed
52646cbd00e765a6db9c3afe9535f26218276034
Fixed
f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43284.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.11.0
Fixed
5.10.255
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.205
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.15.206
Fixed
6.1.171
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.1.172
Fixed
6.6.138
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.87
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.28
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.5

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43284.json"