CVE-2026-43500
- Source
- https://cve.org/CVERecord?id=CVE-2026-43500
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43500.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-43500
- Downstream
- Related
- Published
- 2026-05-11T06:26:45.838Z
- Modified
- 2026-05-22T18:29:12.044336806Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpcinputcallevent() and the RESPONSE handler in rxrpcverifyresponse() copy the skb to a linear one before calling into the security ops only when skbcloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFLSHAREDFRAG set by splice() into a UDP socket via _ipappenddata, or a chained skbhasfraglist()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skbtosgvec().
Extend the gate to also unshare when skbhasfraglist() or skbhassharedfrag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43500.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/3711382a77342a9a1c3d2e7330dcfc7ea927f568
- https://git.kernel.org/stable/c/3eae0f4f9f7206a4801efa5e0235c25bbd5a412c
- https://git.kernel.org/stable/c/7c504ffab3efce8f7e4f463b314ae31030bdf18b
- https://git.kernel.org/stable/c/aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71
- https://git.kernel.org/stable/c/d45179f8795222ce858770dc619abe51f9d24411
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43500.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-43500
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://github.com/V4bel/dirtyfrag
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd0d5c0cd1e711c98703f3544c1e6fc1372898de5Fixed7c504ffab3efce8f7e4f463b314ae31030bdf18bFixed3711382a77342a9a1c3d2e7330dcfc7ea927f568Fixed3eae0f4f9f7206a4801efa5e0235c25bbd5a412cFixedd45179f8795222ce858770dc619abe51f9d24411Fixedaa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71