Description
In the Linux kernel, the following vulnerability has been resolved:

xsk: validate MTU against usable frame size on bind

AF_XDP bind currently accepts zero-copy pool configurations without
verifying that the device MTU fits into the usable frame space provided
by the UMEM chunk.

This becomes a problem since we started to respect tailroom which is
subtracted from chunk_size (among with headroom). 2k chunk size might
not provide enough space for standard 1500 MTU, so let us catch such
settings at bind time. Furthermore, validate whether underlying HW will
be able to satisfy configured MTU wrt XSK's frame size multiplied by
supported Rx buffer chain length (that is exposed via
net_device::xdp_zc_max_segs).
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s AF_XDP implementation accepts zero‑copy pool configurations during bind without verifying that the device MTU fits into the usable frame space of the UMEM chunk. Because tailroom and headroom are now subtracted from the chunk size, a 2k chunk may be insufficient for the standard 1500 MTU. If a packet larger than the available space arrives, the kernel could attempt to copy beyond the buffer boundaries, potentially leading to memory corruption or an unexpected crash, effectively denying service to the host.

Affected Systems

All Linux kernel builds that have not incorporated the patch referenced in the commit logs are vulnerable. No specific release numbers are listed, so any kernel lacking the fix should be considered at risk.

Risk and Exploitability

An attacker with local privileges or the ability to create AF_XDP sockets can bind a pool with a chunk size that does not accommodate the network interface’s MTU. This undermines buffer bounds safety and could trigger a crash. Based on the CVSS score of 5.5, the vulnerability is considered moderate in severity. The EPSS score is <1%, and the vulnerability is not listed in CISA’s KEV catalog, indicating no known widespread exploitation yet. Based on the description, it is inferred that the lack of MTU validation could allow an attacker to cause a denial of service by forcing a kernel panic.

Generated by OpenCVE AI on May 19, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a kernel version that includes the MTU validation patch and reboot to load the new kernel.
  • After updating, restart any AF_XDP applications to re‑establish socket bindings.
  • If a patch cannot be applied immediately, reconfigure zero‑copy pools so that the UMEM chunk size is larger than the interface MTU plus the required headroom and tailroom, or disable zero‑copy usage on interfaces whose MTU exceeds the available chunk space.
  • If AF_XDP is not required for a system, compile the kernel with AF_XDP disabled or unload any XDP programs to reduce exposure.

Generated by OpenCVE AI on May 19, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Thu, 07 May 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-190

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 06 May 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-190

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xsk: validate MTU against usable frame size on bind AF_XDP bind currently accepts zero-copy pool configurations without verifying that the device MTU fits into the usable frame space provided by the UMEM chunk. This becomes a problem since we started to respect tailroom which is subtracted from chunk_size (among with headroom). 2k chunk size might not provide enough space for standard 1500 MTU, so let us catch such settings at bind time. Furthermore, validate whether underlying HW will be able to satisfy configured MTU wrt XSK's frame size multiplied by supported Rx buffer chain length (that is exposed via net_device::xdp_zc_max_segs).
Title xsk: validate MTU against usable frame size on bind
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:17:34.476Z

Reserved: 2026-05-01T14:12:55.984Z

Link: CVE-2026-43092

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:22.550

Modified: 2026-05-19T20:41:46.020

Link: CVE-2026-43092

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43092 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T21:30:14Z

Weaknesses