Skip to main content

Linux Kernel CVE-2026-43464

| EUVDEUVD-2026-28770 HIGH
2026-05-08 Linux GHSA-mf99-5486-2jh2
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:38 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:22 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ

XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues.

Such issue can be observed with the test_xdp_native_adjst_tail_shrnk_data selftest when using a payload of 3600 and shrinking by 256 bytes (an upcoming selftest patch): the last fragment gets released by the XDP code but doesn't get tracked by the driver. This results in a negative pp_ref_count during page release and the following splat:

WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137 Modules linked in: [...] CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core] [...] Call Trace: <TASK> mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core] mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core] mlx5e_close_rq+0x50/0x60 [mlx5_core] mlx5e_close_queues+0x36/0x2c0 [mlx5_core] mlx5e_close_channel+0x1c/0x50 [mlx5_core] mlx5e_close_channels+0x45/0x80 [mlx5_core] mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core] mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core] netif_set_mtu_ext+0xf1/0x230 do_setlink.isra.0+0x219/0x1180 rtnl_newlink+0x79f/0xb60 rtnetlink_rcv_msg+0x213/0x3a0 netlink_rcv_skb+0x48/0xf0 netlink_unicast+0x24a/0x350 netlink_sendmsg+0x1ee/0x410 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x232/0x280 ___sys_sendmsg+0x78/0xb0 __sys_sendmsg+0x5f/0xb0 [...] do_syscall_64+0x57/0xc50

This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDP_TX , XDP_REDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag.

As frag_page is still pointing to the original tail, the nr_frags parameter to xdp_update_skb_frags_info() needs to be calculated in a different way to reflect the new nr_frags.

AnalysisAI

Memory corruption in Linux kernel's mlx5 network driver causes denial of service when XDP multi-buffer programs modify packet layout. The flaw specifically affects the mlx5e receive queue fragment tracking logic: when XDP programs call bpf_xdp_pull_data() or bpf_xdp_adjust_tail() to modify buffer layout, the driver fails to properly count dropped fragments, leading to negative page pool reference counts, kernel warnings, and potential system instability. Exploitation requires sending crafted network packets to systems using mlx5 NICs with XDP multi-buffer programs loaded. EPSS score of 0.02% indicates low exploitation probability. Vendor patches available for kernel versions 6.18.19, 6.19.9, and 7.0.

Technical ContextAI

This vulnerability affects the Mellanox mlx5 Ethernet driver's implementation of XDP (eXpress Data Path) multi-buffer support in the receive queue (RQ) path. XDP is a high-performance packet processing framework in the Linux kernel that allows eBPF programs to process packets before they reach the network stack. Multi-buffer XDP support enables processing of packets larger than a single page. The vulnerable code path involves page pool fragment reference counting when XDP programs dynamically modify packet layouts via bpf_xdp_pull_data() or bpf_xdp_adjust_tail() helper functions. A previous fix (commit afd5ba577c10) addressed assumptions about static buffer layouts but introduced a fragment accounting bug where the driver loses track of fragments released by XDP code, causing page_pool reference count underflow. The CPE strings indicate this affects general Linux kernel installations with mlx5 driver support. The issue manifests in mlx5e_page_release_fragmented() when page fragments are deallocated during RQ cleanup, specifically observable with legacy RQ (receive queue) configurations.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.19, 6.19.9, or 7.0 and later. Fixed commits are available from kernel.org git stable tree at https://git.kernel.org/stable/c/c74557495efb4bd0adefdfc8678ecdbc82a06da3 (6.18 stable), https://git.kernel.org/stable/c/a6413e6f6c9d9bb9833324cb3753582f7bc0f8d (6.19 stable), and https://git.kernel.org/stable/c/03cb50e5b74fce8bf6d92b860371b66253cf0f8d (mainline). The fix restores proper fragment counting for all XDP actions (XDP_TX, XDP_REDIRECT, XDP_PASS) to prevent page pool reference count underflow. If immediate patching is not feasible, consider temporary workarounds: (1) Unload XDP multi-buffer programs from mlx5 interfaces using 'ip link set dev <interface> xdp off' - this eliminates the vulnerable code path but disables XDP acceleration, significantly impacting packet processing performance in high-throughput environments; (2) Switch mlx5 driver to non-legacy RQ mode if supported by your kernel version, though configuration method and compatibility vary by kernel version; (3) Limit exposure by restricting network access to affected interfaces using firewall rules, though this may conflict with the interface's intended function. Each workaround has performance or functionality trade-offs making kernel upgrade the preferred solution.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43464 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy