Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm: esp: avoid in-place decrypt on shared skb frags

MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.

That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.

Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.

This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().
Published: 2026-05-08
Score: 8.8 High
EPSS: 25.6% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel bug causes the xfrm ESP input path to decrypt shared packet fragments in place because the SKBFL_SHARED_FRAG flag is not set. When UDP sockets receive ESP‑in‑UDP traffic that is created by splicing non‑private pages with MSG_SPLICE_PAGES, the kernel follows a fast in‑place decryption path that modifies shared memory. This results in corruption of the shared data buffer and the possibility that the encrypted payload becomes visible to processes that share the fragment. The weakness is a CWE‑123 flaw related to incorrect memory handling.

Affected Systems

All Linux kernel builds that include the xfrm ESP input routine are affected, regardless of distribution. The issue concerns both IPv4 and IPv6 UDP sockets that use splice operations, and any kernel fork that has not merged the community patch series referenced for versions prior to the commits listed in the advisory remains vulnerable.

Risk and Exploitability

The CVSS score of 8.8 and an EPSS score of 26% indicate a relatively high likelihood that the flaw may be exploited in the wild. The vulnerability is not listed in CISA KEV, but it can be exploited by a remote actor who can send crafted ESP‑in‑UDP packets to trigger the vulnerable decryption path. The attacker must be able to target the system's network interface or a service that accepts such traffic. This flaw can lead to inconsistent kernel state, data tampering, or side‑channel leakage; it does not provide immediate remote code execution or privilege escalation as described in the official advisory. The likely attack vector is over the network by a maliciously crafted ESP‑in‑UDP packet sent to the system, based on the note that UDP sockets receive ESP‑in‑UDP traffic constructed via splice operations.

Generated by OpenCVE AI on May 28, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the patch that marks shared skb fragments with SKBFL_SHARED_FRAG and forces a copy‑on‑write before decryption (patch series referenced in the advisory).
  • If an immediate kernel upgrade is not possible, block or filter ESP‑in‑UDP traffic at the network edge or using iptables/ebtables to prevent the vulnerable decryption path from being invoked.
  • Run the dirtyfrag detection script available from the referenced sources to monitor for abnormal ESP‑in‑UDP packet patterns and alert on suspicious activity.

Generated by OpenCVE AI on May 28, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4572-1 linux security update
Debian DLA Debian DLA DLA-4574-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6253-1 linux security update
Debian DSA Debian DSA DSA-6258-1 linux security update
History

Tue, 26 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 14 May 2026 17:30:00 +0000

Type Values Removed Values Added
References

Thu, 14 May 2026 06:30:00 +0000

Type Values Removed Values Added
References

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 11 May 2026 09:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Mon, 11 May 2026 07:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Mon, 11 May 2026 06:15:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 08 May 2026 14:15:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 08 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-123
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Important

Fri, 08 May 2026 11:00:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 10:30:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 08 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().
Title xfrm: esp: avoid in-place decrypt on shared skb frags
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-26T17:32:27.236Z

Reserved: 2026-05-01T14:12:55.998Z

Link: CVE-2026-43284

cve-icon Vulnrichment

Updated: 2026-05-26T17:32:27.236Z

cve-icon NVD

Status : Modified

Published: 2026-05-08T08:16:43.827

Modified: 2026-05-26T18:16:49.533

Link: CVE-2026-43284

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-07T00:00:00Z

Links: CVE-2026-43284 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T15:30:05Z

Weaknesses