Skip to main content

Linux Kernel CVE-2026-43284

| EUVDEUVD-2026-28535 HIGH
Use After Free (CWE-416)
2026-05-08 Linux GHSA-mmw8-mxmc-8w2r
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
May 11, 2026 - 08:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 11, 2026 - 08:22 vuln.today
cvss_changed
CVSS changed
May 11, 2026 - 08:22 NVD
7.8 (HIGH) 8.8 (HIGH)
Analysis Generated
May 08, 2026 - 14:23 vuln.today
CVSS changed
May 08, 2026 - 14:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 09:02 EUVD
CVE Published
May 08, 2026 - 07:21 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 07:21 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfrm: esp: avoid in-place decrypt on shared skb frags

MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs.

That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb.

Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path.

This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().

AnalysisAI

Use-after-free in Linux kernel ESP (IPsec) allows local authenticated attackers to decrypt shared memory fragments improperly, potentially exposing encrypted network traffic or causing memory corruption. Affects kernel versions 6.5+ where MSG_SPLICE_PAGES can attach pipe pages directly to UDP socket buffers. The IPv4/IPv6 datagram paths fail to mark spliced pages as shared, causing ESP input decryption to modify memory not privately owned by the packet buffer. Public exploit code exists (POC available on GitHub), EPSS score is low (0.01%) indicating limited widespread exploitation risk, and vendor patches are available across affected stable kernel branches (6.6.138, 6.12.87, 6.18.28, 7.0.5).

Technical ContextAI

This vulnerability involves the Linux kernel's XFRM (transform) framework used for IPsec ESP (Encapsulating Security Payload) encryption/decryption, specifically the interaction between zero-copy networking (MSG_SPLICE_PAGES) and in-place packet decryption. When TCP uses skb_splice_from_iter() to attach pages from a pipe directly to socket buffers, it sets the SKBFL_SHARED_FRAG flag indicating the fragment data is externally owned. The UDP datagram append paths (ip_append_page/ip6_append_page) failed to set this flag when splicing pages, creating ESP-in-UDP packets that appear to be private uncloned nonlinear skbs. The ESP input fast path then performs in-place decryption on these shared fragments without calling skb_cow_data() to make a private copy first, violating memory ownership assumptions. This is a CWE-416 use-after-free condition where the kernel decrypts data that may be simultaneously accessed by other contexts. The affected CPE strings (cpe:2.3:a:linux:linux) indicate Linux kernel itself, with the vulnerability introduced in commit 7da0dde68486b2d5bd7c689a9b327b77efecdfd0 and fixed in multiple stable branches via commits that add SKBFL_SHARED_FRAG marking and ESP input COW checks.

RemediationAI

Upgrade to patched Linux kernel versions: 6.6.138+ for 6.6.x series, 6.12.87+ for 6.12.x series, 6.18.28+ for 6.18.x series, or 7.0.5+ for 7.0.x series. Patches are available from kernel.org stable trees and distribution-specific repositories (references include kernel.org stable commit links and oss-security mailing list announcement at openwall.com/lists/oss-security/2026/05/08/7). If immediate patching is not feasible, consider these compensating controls with trade-offs: (1) Disable ESP-in-UDP encapsulation if not required for NAT traversal - edit /etc/ipsec.conf or strongSwan configuration to remove 'encap=yes' directives, preventing vulnerable code path but breaking IPsec through NAT devices. (2) Restrict splice() syscall usage via seccomp-bpf filters in containers/sandboxes running untrusted code - adds syscall filtering overhead and requires application compatibility testing. (3) Limit local user access and enforce principle of least privilege - reduces attack surface but does not eliminate risk from compromised low-privilege accounts. Distributions typically backport fixes to their supported kernel versions, so consult distribution-specific security advisories for RHEL, Ubuntu, Debian, SLES kernel packages. Verify patch application by checking kernel version with 'uname -r' and confirming fix commits are present in your kernel source tree.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.1/base-os-container:latest Affected
Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.1/kvm-os-container:latest Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.172 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.120 Affected
SUSE Liberty Linux 10 Fixed
SUSE Liberty Linux 8 Fixed

Share

CVE-2026-43284 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy