Skip to main content

Linux Kernel CVE-2026-43465

| EUVDEUVD-2026-28771 CRITICAL
2026-05-08 Linux GHSA-wm82-xv2w-22mm
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:38 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:22 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ

XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues.

The issue was discovered by the drivers/net/xdp.py selftest, more specifically the test_xdp_native_tx_mb:

  • The mlx5 driver allocates a page_pool page and initializes it with

a frag counter of 64 (pp_ref_count=64) and the internal frag counter to 0.

  • The test sends one packet with no payload.
  • On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP

buffer with the packet data starting in the first fragment which is the page mentioned above.

  • The XDP program runs and calls bpf_xdp_pull_data() which moves the

header into the linear part of the XDP buffer. As the packet doesn't contain more data, the program drops the tail fragment since it no longer contains any payload (pp_ref_count=63).

  • mlx5 device skips counting this fragment. Internal frag counter

remains 0.

  • mlx5 releases all 64 fragments of the page but page pp_ref_count is

63 => negative reference counting error.

Resulting splat during the test:

WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] Modules linked in: [...] CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] [...] Call Trace: <TASK> mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core] mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core] mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core] mlx5e_close_rq+0x78/0xa0 [mlx5_core] mlx5e_close_queues+0x46/0x2a0 [mlx5_core] mlx5e_close_channel+0x24/0x90 [mlx5_core] mlx5e_close_channels+0x5d/0xf0 [mlx5_core] mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core] mlx5e_change_mtu+0x11d/0x490 [mlx5_core] mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core] netif_set_mtu_ext+0xfc/0x240 do_setlink.isra.0+0x226/0x1100 rtnl_newlink+0x7a9/0xba0 rtnetlink_rcv_msg+0x220/0x3c0 netlink_rcv_skb+0x4b/0xf0 netlink_unicast+0x255/0x380 netlink_sendmsg+0x1f3/0x420 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x1e8/0x240 ___sys_sendmsg+0x7c/0xb0 [...] __sys_sendmsg+0x5f/0xb0 do_syscall_64+0x55/0xc70

The problem applies for XDP_PASS as well which is handled in a different code path in the driver.

This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDP_TX , XDP_REDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag.

As frag_page is still pointing to the original tail, the nr_frags parameter to xdp_update_skb_frags_info() needs to be calculated in a different way to reflect the new nr_frags.

AnalysisAI

Reference counting flaw in mlx5e network driver causes kernel memory corruption when XDP multi-buffer programs modify packet layouts via bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). Affects Linux kernel versions 6.18.x through 6.19.9, with vendor patches available for 6.18.19, 6.19.9, and 7.0. The vulnerability triggers negative page pool reference counts leading to memory management errors, discovered by the drivers/net/xdp.py selftest. While CVSS scores this 9.8 Critical with network vector, the technical context suggests local impact requiring specific XDP program execution. EPSS exploitation probability is low (0.02%, 4th percentile) with no evidence of active exploitation or public POC at time of analysis.

Technical ContextAI

This vulnerability affects the mlx5e driver's implementation of XDP (eXpress Data Path) multi-buffer handling in striding receive queues. The Linux kernel's page_pool memory management system initializes network packet pages with reference counts (pp_ref_count) that track fragment usage. When XDP programs call bpf_xdp_pull_data() or bpf_xdp_adjust_tail() to modify packet buffer layouts, the mlx5 driver failed to properly count dropped fragments on the driver side. The affected CPE products (cpe:2.3:a:linux:linux) identify systems running mlx5-based Mellanox/NVIDIA network adapters with XDP multi-buffer support. The issue stems from incomplete fragment accounting after a previous fix (commit 87bcef158ac1) that corrected assumptions about XDP buffer immutability. While no CWE is assigned, this represents a memory management error class involving reference counting in kernel network drivers.

RemediationAI

Apply vendor-released patches for affected kernel versions: upgrade to Linux 6.18.19, 6.19.9, or 7.0+ which contain fixes from commits 7d7342a18fadcdb, 043bd62f748bc, and db25c42c2e1f9 available at https://git.kernel.org/stable/c/7d7342a18fadcdb70a63b3c930dc63528ce51832, https://git.kernel.org/stable/c/043bd62f748bc9fd98154037aa598cffbd3c667c, and https://git.kernel.org/stable/c/db25c42c2e1f9c0d136420fff5e5700f7e771a6f. The patches restore proper fragment counting for all original XDP buffer fragments across XDP_TX, XDP_REDIRECT, and XDP_PASS actions. If immediate patching is not feasible, temporarily disable XDP multi-buffer programs on mlx5 network interfaces via 'ip link set dev <interface> xdp off', though this eliminates XDP performance benefits. Alternatively, configure mlx5 driver to use legacy receive queue mode instead of striding RQ by setting driver parameters, which avoids the vulnerable code path but may reduce packet processing throughput by 15-30%. Systems not using mlx5 hardware or XDP programs are not affected and do not require mitigation.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43465 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy