CVE-2026-43093 - Vulnerability Details

- xsk: tighten UMEM headroom validation to account for tailroom and min frame

Description

In the Linux kernel, the following vulnerability has been resolved:

xsk: tighten UMEM headroom validation to account for tailroom and min frame

The current headroom validation in xdp_umem_reg() could leave us with
insufficient space dedicated to even receive minimum-sized ethernet
frame. Furthermore if multi-buffer would come to play then
skb_shared_info stored at the end of XSK frame would be corrupted.

HW typically works with 128-aligned sizes so let us provide this value
as bare minimum.

Multi-buffer setting is known later in the configuration process so
besides accounting for 128 bytes, let us also take care of tailroom space
upfront.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw lies in the UMEM headroom validation performed during XDP UMEM registration. The kernel fails to reserve adequate space for even the smallest Ethernet frame, and does not consider the 128‐byte tailroom required by hardware alignment. This oversight means the tail of an XDP frame can overwrite the skb_shared_info structure that follows the data, potentially corrupting kernel memory. Such corruption could trigger a crash or provide an avenue for privilege escalation if an attacker can supply crafted packets that exploit the missing guard.

Affected Systems

All Linux kernel builds where the XDP UMEM interface is enabled are affected, as the vulnerability is present in the generic xdp_umem_reg implementation. No specific kernel version range is listed, so any version requiring this registration path may be compromised until patched.

Risk and Exploitability

The CVSS score is not provided, and EPSS is unavailable, so the exact risk rating is unclear. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not been widely reported by exploit communities yet. However, because it involves unchecked writes to kernel memory, the likelihood of exploitation is theoretically high if an attacker can inject malicious frames into the network stack. The attack vector, while not explicitly stated, is inferred to be through network traffic that triggers XDP processing on a system with potentially misconfigured UMEM spaces.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`99e3a236dd43d06c65af0a2ef9cb44306aef6e02`	affected	< a03975beb9f6af0d8ac051e30b2abeabe618414f
`99e3a236dd43d06c65af0a2ef9cb44306aef6e02`	affected	< 0ec4d3f6e6934deb843b561ae048cd17218e5ad1
`99e3a236dd43d06c65af0a2ef9cb44306aef6e02`	affected	< 9ea6ba4f3195dcba6e8b3e7b2e748593b7cafb12
`99e3a236dd43d06c65af0a2ef9cb44306aef6e02`	affected	< 6523bc1b40e69301f24c14338b762af4739d6d39
`99e3a236dd43d06c65af0a2ef9cb44306aef6e02`	affected	< a315e022a72d95ef5f1d4e58e903cb492b0ad931
`ad8fb61c184fe0f8d1e0b5b954d010fb9f94a6ee`	affected	—
`25c9cdef57488578da21d99eb614b97ffcf6e59f`	affected	—
`98d3c852e63b49129515dd18c875999efaf8530a`	affected	—

Linux

affected

Version	Status	Constraints
`5.7`	affected	—
`0`	unaffected	< 5.7
`6.6.136`	unaffected	≤ 6.6.*
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[99e3a236dd43d06c65af0a2ef9cb44306aef6e02,a03975beb9f6af0d8ac051e30b2abeabe618414f)`	affected	code_commit	—
`[99e3a236dd43d06c65af0a2ef9cb44306aef6e02,0ec4d3f6e6934deb843b561ae048cd17218e5ad1)`	affected	code_commit	—
`[99e3a236dd43d06c65af0a2ef9cb44306aef6e02,9ea6ba4f3195dcba6e8b3e7b2e748593b7cafb12)`	affected	code_commit	—
`[99e3a236dd43d06c65af0a2ef9cb44306aef6e02,6523bc1b40e69301f24c14338b762af4739d6d39)`	affected	code_commit	—
`[99e3a236dd43d06c65af0a2ef9cb44306aef6e02,a315e022a72d95ef5f1d4e58e903cb492b0ad931)`	affected	code_commit	—
`ad8fb61c184fe0f8d1e0b5b954d010fb9f94a6ee`	affected	code_commit	—
`25c9cdef57488578da21d99eb614b97ffcf6e59f`	affected	code_commit	—
`98d3c852e63b49129515dd18c875999efaf8530a`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.7`	affected	generic	—
`[0,5.7)`	unaffected	generic	—
`[6.6.136,6.7.0)`	unaffected	semver	—
`[6.12.83,6.13.0)`	unaffected	semver	—
`[6.18.24,6.19.0)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel release that incorporates the UMEM headroom fix introduced in commit a0a6…
If an immediate kernel upgrade is not possible, ensure that MBUF allocation for XDP UMEM reserves sufficient headroom by adding an extra 128‑byte tailroom buffer and validating the buffer capacity before registration.
Audit existing XDP UMEM registrations for adequate headroom and tailroom settings, and rebuild or reload affected drivers after applying the patch.

Generated by OpenCVE AI on May 6, 2026 at 11:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0ec4d3f6e6934deb843b561ae048cd17218e5ad1
https://git.kernel.org/stable/c/6523bc1b40e69301f24c14338b762af4739d6d39
https://git.kernel.org/stable/c/9ea6ba4f3195dcba6e8b3e7b2e748593b7cafb12
https://git.kernel.org/stable/c/a03975beb9f6af0d8ac051e30b2abeabe618414f
https://git.kernel.org/stable/c/a315e022a72d95ef5f1d4e58e903cb492b0ad931

History

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-785

Wed, 06 May 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xsk: tighten UMEM headroom validation to account for tailroom and min frame The current headroom validation in xdp_umem_reg() could leave us with insufficient space dedicated to even receive minimum-sized ethernet frame. Furthermore if multi-buffer would come to play then skb_shared_info stored at the end of XSK frame would be corrupted. HW typically works with 128-aligned sizes so let us provide this value as bare minimum. Multi-buffer setting is known later in the configuration process so besides accounting for 128 bytes, let us also take care of tailroom space upfront.
Title		xsk: tighten UMEM headroom validation to account for tailroom and min frame
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0ec4d3f6e6934deb843b561ae048cd17218e5ad1 https://git.kernel.org/stable/c/6523bc1b40e69301f24c14338b762af4739d6d39 https://git.kernel.org/stable/c/9ea6ba4f3195dcba6e8b3e7b2e748593b7cafb12 https://git.kernel.org/stable/c/a03975beb9f6af0d8ac051e30b2abeabe618414f https://git.kernel.org/stable/c/a315e022a72d95ef5f1d4e58e903cb492b0ad931

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T07:40:25.266Z

Updated: 2026-05-06T07:40:25.266Z

Reserved: 2026-05-01T14:12:55.984Z

Link: CVE-2026-43093

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-06T10:16:22.667

Modified: 2026-05-06T10:16:22.667

Link: CVE-2026-43093

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T12:30:03Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object