Description
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().

Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO). The OOM/trace handling already in place is reused.
Published: 2026-05-11
Score: 7.8 High
EPSS: 33.7% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the flaw exists in rxrpc packet handling. When a packet carries externally owned paged fragments that are not cloned—such as fragments introduced via splice() on a UDP socket or attached through a fragment list—the kernel bypasses its usual linear copy and enters an in‑place decryption path that binds the fragment pages directly into the AEAD/skcipher scatter‑gather list. The shared fragment pages can be manipulated, leading to buffer read/write errors that match CWE‑123 and CWE‑787. The result is arbitrary kernel memory corruption.

Affected Systems

All Linux kernel releases prior to the commit that added the unshare check are potentially vulnerable. The Common Platform Enumerations list generic Linux kernel and specific releases such as 5.3, 5.3‑rc7, 5.3‑rc8, 7.1‑rc1, and 7.1‑rc2. Therefore, most distributions that ship any of those kernels are at risk if they process rxrpc traffic with externally shared fragments.

Risk and Exploitability

Security ratings indicate a high risk: CVSS score 7.8 and EPSS 34% demonstrate moderate likelihood of exploitation. The vulnerability is not in CISA’s KEV catalog. Based on the description, it is inferred that a remote attacker must be able to send crafted rxrpc packets that trigger the vulnerable path—such as using splice into a UDP socket or building packets with shared fragment lists—to achieve kernel memory corruption, which could lead to privilege escalation or arbitrary code execution. No prerequisite user privileges are required, making any remote host reachable through the RxRPC service a potential attack target.

Generated by OpenCVE AI on June 12, 2026 at 14:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that contains the unshare check for rxrpc packet handling.
  • If an upgrade cannot be applied immediately, block inbound and outbound RxRPC traffic on the standard port using firewall rules or by disabling the RxRPC protocol in the kernel configuration.
  • Avoid using splice() on UDP sockets or constructing packets that include externally shared fragment lists until the kernel patch is applied; this limits the vector that triggers the flaw.
  • As a last resort, rebuild the kernel without RxRPC support if the protocol is not required for your environment.

Generated by OpenCVE AI on June 12, 2026 at 14:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4572-1 linux security update
Debian DLA Debian DLA DLA-4574-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6253-1 linux security update
Debian DSA Debian DSA DSA-6258-1 linux security update
Ubuntu USN Ubuntu USN USN-8370-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8371-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8373-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8374-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8426-1 Linux kernel (Azure) vulnerabilities
History

Sun, 17 May 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
References

Mon, 11 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-123
CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:5.3:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.3:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.3:rc8:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 11 May 2026 09:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Mon, 11 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.
Title rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-20T16:08:12.294Z

Reserved: 2026-05-01T14:12:56.014Z

Link: CVE-2026-43500

cve-icon Vulnrichment

Updated: 2026-05-11T15:51:04.282Z

cve-icon NVD

Status : Modified

Published: 2026-05-11T08:16:16.077

Modified: 2026-05-17T16:16:16.740

Link: CVE-2026-43500

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-07T00:00:00Z

Links: CVE-2026-43500 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:00:09Z

Weaknesses