CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.
In plain language
AI Worth attentionThis is a Linux kernel networking bug that can let a local, low-privileged attacker crash the system or potentially run code by abusing shared memory packet fragments. If you operate servers or containers on affected Linux distributions, you should act to patch it.
In the Linux kernel rxrpc subsystem, a flaw in how it handles “shared fragment” network packets lets the code bypass the expected “unshare/copy” path; this can lead to in-place decryption that binds externally-owned pages into cryptographic operations, enabling local low-privilege denial of service or potential arbitrary code execution.
What to do now
- Check your Linux kernel version on each affected system (servers, VMs, and container hosts) and compare it to the fixed versions listed below.
- Upgrade the Linux kernel to one of the fixed revisions/versions: 7c504ffab3efce8f7e4f463b314ae31030bdf18b, 3711382a77342a9a1c3d2e7330dcfc7ea927f568, 3eae0f4f9f7206a4801efa5e0235c25bbd5a412c, d45179f8795222ce858770dc619abe51f9d24411, aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71, or 6.18.29.
- If you run OpenShift Container Platform, Debian, Astra Linux, Red Hat Enterprise Linux, Red OS, Osnova Onyx, or SberLinux OS Server, ensure your platform vendor has rolled the patched kernel into your supported update stream and apply it.
- After patching, reboot hosts as required by your OS/vendor process and confirm the running kernel version is the patched one.
CVSS Vector Breakdown
AV:LAttack VectorAC:LAttack ComplexityPR:LPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
2 techniquesReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-43500 and every CVE in our database. Create a free account — no credit card required.
Create Free Account