Skip to main content

Linux kernel CVE-2026-43500

| EUVDEUVD-2026-29037 HIGH
Out-of-bounds Write (CWE-787)
2026-05-11 Linux GHSA-8p2w-g92w-f4x3
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.8 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 12:22 vuln.today
CVSS changed
May 11, 2026 - 12:22 NVD
7.8 (HIGH)
Patch available
May 11, 2026 - 09:01 EUVD
CVE Published
May 11, 2026 - 06:26 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 06:26 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec().

Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.

AnalysisAI

Buffer overflow in Linux kernel rxrpc subsystem allows local authenticated attackers to achieve arbitrary code execution with kernel privileges. The vulnerability stems from improper handling of shared fragment memory in DATA and RESPONSE packet processing, where the kernel fails to unshare externally-owned page fragments before in-place decryption operations. This creates a buffer overflow condition (CWE-787) exploitable by local users with low privileges. Patches are available for kernel versions 6.18.29, 7.0.6, and 7.1-rc3. EPSS and KEV status not provided in available data.

Technical ContextAI

The rxrpc protocol implementation in the Linux kernel mishandles memory ownership semantics for socket buffer (skb) fragments during cryptographic operations. When processing DATA and RESPONSE packets in rxrpc_input_call_event() and rxrpc_verify_response(), the code only creates a linear copy of the skb when skb_cloned() returns true. However, skbs with externally-owned paged fragments-such as those created by splice() operations into UDP sockets via __ip_append_data() with SKBFL_SHARED_FRAG set, or skbs with chained fragment lists-bypass this check. These unshared skbs proceed to in-place decryption where their fragment pages are directly bound into the AEAD/skcipher scatter-gather list via skb_to_sgvec(). This violates memory ownership assumptions and leads to a buffer overflow (CWE-787). The vulnerability affects the rxrpc subsystem introduced in commit d0d5c0cd1e71 and impacts kernels from version 5.3 onward. The affected code paths involve low-level kernel networking primitives including skb fragment management, cryptographic subsystems, and zero-copy optimization logic.

RemediationAI

Apply vendor-released patches immediately for affected kernel branches: upgrade to Linux kernel 6.18.29 or later for 6.x stable series, 7.0.6 or later for 7.0 stable series, or 7.1-rc3 or later for development kernels. Upstream fixes available at https://git.kernel.org/stable/c/aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71, https://git.kernel.org/stable/c/d45179f8795222ce858770dc619abe51f9d24411, and https://git.kernel.org/stable/c/3eae0f4f9f7206a4801efa5e0235c25bbd5a412c. The fix extends the skb unsharing gate to check skb_has_frag_list() and skb_has_shared_frag() in addition to skb_cloned(), ensuring externally-owned fragments are copied to linear buffers before cryptographic operations. If immediate patching is not feasible, compensating controls include disabling the rxrpc kernel module via blacklist (add 'blacklist rxrpc' to /etc/modprobe.d/blacklist.conf and rebuild initramfs), which prevents exploitation but breaks AFS and other rxrpc-dependent functionality-acceptable only if these services are not required. Alternatively, restrict local user access through mandatory access controls (SELinux/AppArmor) to limit potential attackers to non-interactive service accounts, though this only reduces attack surface rather than eliminating the vulnerability. For environments requiring rxrpc functionality, prioritize kernel updates as no effective workaround exists that maintains full service availability. Verify patch application by checking kernel version with 'uname -r' and confirming commit presence in kernel source.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.1/base-os-container:latest Affected
Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.1/kvm-os-container:latest Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.172 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.120 Affected
SUSE Liberty Linux 10 Fixed
SUSE Liberty Linux 8 Fixed

Share

CVE-2026-43500 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy