CVE Tools

CVE-2026-43500

rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

Published: May 11, 2026Updated: Jun 30, 2026 Sources: CVE List NVD BDUCWE-787

Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.

In plain language

AI Worth attention

This is a Linux kernel networking bug that can let a local, low-privileged attacker crash the system or potentially run code by abusing shared memory packet fragments. If you operate servers or containers on affected Linux distributions, you should act to patch it.

Executive summary

In the Linux kernel rxrpc subsystem, a flaw in how it handles “shared fragment” network packets lets the code bypass the expected “unshare/copy” path; this can lead to in-place decryption that binds externally-owned pages into cryptographic operations, enabling local low-privilege denial of service or potential arbitrary code execution.

If affected, business impact
System crash (denial of service)Potential arbitrary code executionService outage for hosted appsPossible compromise of server

What to do now

  1. Check your Linux kernel version on each affected system (servers, VMs, and container hosts) and compare it to the fixed versions listed below.
  2. Upgrade the Linux kernel to one of the fixed revisions/versions: 7c504ffab3efce8f7e4f463b314ae31030bdf18b, 3711382a77342a9a1c3d2e7330dcfc7ea927f568, 3eae0f4f9f7206a4801efa5e0235c25bbd5a412c, d45179f8795222ce858770dc619abe51f9d24411, aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71, or 6.18.29.
  3. If you run OpenShift Container Platform, Debian, Astra Linux, Red Hat Enterprise Linux, Red OS, Osnova Onyx, or SberLinux OS Server, ensure your platform vendor has rolled the patched kernel into your supported update stream and apply it.
  4. After patching, reboot hosts as required by your OS/vendor process and confirm the running kernel version is the patched one.
Patch / advisory Usually a quick update

CVSS Vector Breakdown

AV:LAC:LPR:LUI:NS:UC:HI:HA:H
Exploitability
AV:LAttack Vector
Local
AC:LAttack Complexity
Low
PR:LPrivileges Required
Low
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:HAvailability
High

Weaknesses

Affected Products

and 2 more affected products View all →

Exploitability

Official Patch Available

Attack Graph

Products CVE Techniques Tactics

Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/ + scroll to zoom, or go fullscreen.

MITRE ATT&CK

2 techniques
Initial Access
Privilege Escalation
View detailed technique mapping

References

and 20 more references View all →
Could not load news mentions.

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-43500 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows