Zero Day MonitorZDM

← Back to list

7.8

CVE-2026-43500KEVEXPLOITEDPATCHED

Linux · Linux

rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.

Affected Products

Vendor	Product	Versions
Linux	Linux	d0d5c0cd1e711c98703f3544c1e6fc1372898de5, d0d5c0cd1e711c98703f3544c1e6fc1372898de5, d0d5c0cd1e711c98703f3544c1e6fc1372898de5, 5.3

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
linux	linux	mitre_affected	90%

References

Related News (4 articles)

Tier E

Lobsters Security5h ago

Load-Bearing Assumptions: the rxrpc case (CVE-2026-43500) and the constraint that was never there

→ No new info (linked only)

Tier C

VulDB14h ago

CVE-2026-43500 | Linux Kernel up to 6.18.28/7.0.5/7.1-rc2 rxrpc rxrpc_input_call_event infinite loop

→ No new info (linked only)

Tier C

Linux Kernel CVEs15h ago

CVE-2026-43500: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

→ No new info (linked only)

Tier B

CERT-FR22h ago

Bulletin d'actualité CERTFR-2026-ACT-021 (11 mai 2026)

→ No new info (linked only)

CVSS 3.17.8 HIGH

VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA KEV✅ Yes

Actively exploited✅ Yes

Patch available

3eae0f4f9f7206a4801efa5e0235c25bbd5a412cd45179f8795222ce858770dc619abe51f9d24411aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d7106.18.297.0.67.1-rc3

PublishedMay 11, 2026

Last enriched9h agov2

Trending Score117🔥

Source articles4

Independent4

Info Completeness7/14

Missing: cvss, epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

IMPORTANTCVE-2026-43284EXPKEV

xfrm: esp: avoid in-place decrypt on shared skb frags

HIGHCVE-2026-31431EXPKEV

crypto: algif_aead - Revert to operating out-of-place

CRITICALCVE-2025-71296EXP

drm/tests: shmem: Hold reservation lock around purge

CRITICALCVE-2026-43297EXP

media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init()

CRITICALCVE-2026-43295EXP

rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net()

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 11, 2026

Added to CISA KEV

May 11, 2026

Discovered by ZDM

May 11, 2026

Updated: affectedVersions

May 11, 2026

Actively Exploited

May 11, 2026

Patch Available

May 11, 2026

Version History

v2

Last enriched 9h ago

v2Tier C13h ago

Updated description with critical vulnerability details, changed severity to CRITICAL, and added affected versions 6.18.28, 7.0.5, and 7.1-rc2.

affectedVersions

via VulDB

v115h ago

Initial creation