Skip to main content

Linux Kernel CVE-2026-43092

| EUVDEUVD-2026-27594 MEDIUM
2026-05-06 Linux GHSA-gpc7-hgpf-xq94
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 19, 2026 - 20:53 vuln.today
CVSS changed
May 19, 2026 - 20:52 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 11:31 EUVD

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xsk: validate MTU against usable frame size on bind

AF_XDP bind currently accepts zero-copy pool configurations without verifying that the device MTU fits into the usable frame space provided by the UMEM chunk.

This becomes a problem since we started to respect tailroom which is subtracted from chunk_size (among with headroom). 2k chunk size might not provide enough space for standard 1500 MTU, so let us catch such settings at bind time. Furthermore, validate whether underlying HW will be able to satisfy configured MTU wrt XSK's frame size multiplied by supported Rx buffer chain length (that is exposed via net_device::xdp_zc_max_segs).

AnalysisAI

The AF_XDP socket subsystem (xsk) in the Linux kernel fails to validate that a network device's MTU fits within the usable UMEM frame space at bind time, allowing a local low-privileged user to trigger a kernel denial of service. Usable frame space - chunk size minus headroom and tailroom - can fall below a standard 1500-byte MTU when 2k chunks are used, a gap that became exploitable once tailroom subtraction was introduced. The kernel also omits validation of hardware zero-copy capabilities via net_device::xdp_zc_max_segs. No public exploit has been identified and EPSS is 0.02% (5th percentile), indicating low immediate exploitation risk.

Technical ContextAI

AF_XDP is a high-performance Linux kernel networking facility enabling zero-copy packet I/O through a UMEM (User Memory) region shared between kernel space and userspace applications. When an AF_XDP socket is bound to a NIC in zero-copy mode (XDP_ZEROCOPY), the kernel configures hardware Rx/Tx queues to DMA directly into UMEM chunks. Each chunk has user-defined headroom and driver-defined tailroom subtracted from its total size, leaving a usable frame space. The vulnerability is a missing input validation (analogous to CWE-20, though NVD lists CWE as N/A) at the bind() syscall: the kernel does not check that (chunk_size - headroom - tailroom) >= device_MTU, nor that (xsk_frame_size × net_device::xdp_zc_max_segs) can satisfy the configured MTU for chained receive buffers. With 2k chunks - a common configuration - a standard 1500-byte MTU can be unsatisfiable once headroom and tailroom are deducted, leading to kernel memory access violations during packet processing. CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel stable release: 6.6.136 or later for the 6.6 LTS branch, 6.12.83 or later for 6.12 LTS, 6.18.24 or later for 6.18, 6.19.14 or later for 6.19, or any Linux 7.0+ release. Upstream fix commits are available at https://git.kernel.org/stable/c/a55793e5a97d4e39bdb380873a9780fe0010bff6, https://git.kernel.org/stable/c/f669d60db11dbabb96279f2b20f9d1cba43cddb2, https://git.kernel.org/stable/c/25e1e91a8da819924df0b16e3812d7b24c8ce133, https://git.kernel.org/stable/c/b2f4daa6422fd6cc0cec969794dab4a88ea4cea1, and https://git.kernel.org/stable/c/36ee60b569ba0dfb6f961333b90d19ab5b323fa9. Where immediate patching is not possible, restrict CAP_NET_RAW from unprivileged containers and enforce seccomp profiles blocking AF_XDP socket creation (socket family 44) - note this will break legitimate XDP zero-copy networking applications. As a narrower workaround, configure AF_XDP applications to use copy mode (omitting XDP_ZEROCOPY) rather than zero-copy mode, which avoids the vulnerable code path at the cost of higher CPU overhead and reduced throughput. Ensure UMEM chunk sizes are configured with sufficient headroom and tailroom margin above the interface MTU as an additional defensive measure pending patching.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43092 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy