Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm: esp: avoid in-place decrypt on shared skb frags

MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.

That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.

Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.

This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().
Published: 2026-05-08
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains a flaw in the xfrm ESP input path: when a packet is constructed from shared pipe pages with MSG_SPLICE_PAGES, the kernel fails to mark the shared fragments with SKBFL_SHARED_FRAG. Consequently, the fast decryption path decrypts the packet data in place even though the memory is shared. This corrupts or unintentionally exposes data that may be referenced by other sockets, leading to integrity violations and potential leakage of sensitive information. No elevation of privilege or remote execution is provided by the flaw, but the kernel’s state can be compromised during normal packet processing.

Affected Systems

All Linux kernel builds that employ the xfrm ESP input routine, regardless of distribution, are affected when UDP sockets receive ESP‑in‑UDP traffic constructed via splice operations. The flaw applies to both IPv4 and IPv6 variants, as the code paths do not differentiate between them when setting the shared fragment flag. The vulnerability exists in the current mainline kernel and any derivative that has not yet incorporated the patch series that adds the flag and forces a copy‑on‑write before decryption.

Risk and Exploitability

The CVSS base score is 7.8, and EPSS data is unavailable, but the kernel nature of the flaw suggests a high severity rating. The vulnerability is not listed in CISA’s KEV, indicating no active exploitation has been observed yet. Exploitation would require an attacker capable of crafting and sending malicious ESP‑in‑UDP packets that trigger the splice path, a scenario more likely in an environment where the kernel receives untrusted network traffic. Because the issue only corrupts shared memory, it can be used to tamper with traffic flows or facilitate side‑channel leakage rather than granting arbitrary code execution.

Generated by OpenCVE AI on May 8, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch that marks shared skb fragments with SKBFL_SHARED_FRAG and forces copy‑on‑write before in‑place decryption; this is the recommended permanent fix.
  • If an immediate kernel upgrade is not possible, block or restrict ESP‑in‑UDP traffic using firewall rules or iptables to prevent the vulnerable packet path from being invoked.
  • As a temporary countermeasure, disable or limit the use of MSG_SPLICE_PAGES for UDP sockets by reviewing application configurations or kernel settings that enable splice operations on network traffic.

Generated by OpenCVE AI on May 8, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-123
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Important

Fri, 08 May 2026 11:00:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 10:30:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 08 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().
Title xfrm: esp: avoid in-place decrypt on shared skb frags
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T13:52:09.732Z

Reserved: 2026-05-01T14:12:55.998Z

Link: CVE-2026-43284

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T08:16:43.827

Modified: 2026-05-08T11:16:29.260

Link: CVE-2026-43284

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-07T00:00:00Z

Links: CVE-2026-43284 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T13:30:09Z

Weaknesses