Description
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().

Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO). The OOM/trace handling already in place is reused.
Published: 2026-05-11
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the Linux kernel’s rxrpc protocol handlers. When a packet is not cloned but carries externally owned paged fragments—such as those injected via splice() into a UDP socket or attached through an skb fragment list—the kernel bypasses the linear‑copy routine and enters an in‑place decryption path. In that path, the fragment pages are bound directly into the AEAD/skcipher scatter‑gather list used for decryption. This allows an attacker to potentially influence or read memory that is shared with other contexts, thereby exposing sensitive data or corrupting packet contents, which could lead to memory corruption and potentially remote code execution. The defensive change extends the gate to unshare packets that have fragment lists or shared fragments, ensuring that all externally shared fragment pages are copied before decryption. This mitigates the risk of memory corruption or unauthorized data disclosure. The vulnerability can be triggered via network traffic using the rxrpc protocol. While no exploit code is publicly known, the attack surface is significant for systems that process externally shared packet fragments, such as those involving splice or fragmented UDP sockets. The EPSS score is unavailable, and the issue is not listed in CISA KEV, suggesting that existing coverage may be limited. Nonetheless, the potential for data leakage or memory corruption makes this a high‑risk flaw that can be exploited remotely by an attacker who can inject crafted rxrpc packets.

Affected Systems

Affected systems are Linux kernel distributions that implement the rxrpc protocol. The advisory does not list specific kernel version ranges; therefore all kernels released prior to the commit that introduced the unshare fix are considered potentially vulnerable. No particular distribution or vendor is singled out beyond the Linux kernel itself.

Risk and Exploitability

The advisory shows no publicly available exploits and the EPSS score is not listed. The lack of a KEV designation suggests that automated detection tools may not identify this vulnerability immediately. Nevertheless, the vulnerability permits an attacker to send crafted rxrpc packets that contain externally shared fragment pages; if the kernel ignores proper cloning, decrypted payloads can be read or corrupted in place, which could lead to memory corruption or even remote code execution. Because the exact CVSS score is not provided, the precise severity is unknown, but the potential impact and ease of exploitation via standard network traffic imply a high risk for systems that allow rxrpc traffic.

Generated by OpenCVE AI on May 11, 2026 at 10:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that enforces cloning of all rxrpc packets with shared or fragment‑list fragments. Updating to a kernel version that includes the commit referenced in the advisory will remove the vulnerability.
  • If an immediate kernel update is not possible, consider disabling the rxrpc protocol at the system level or blocking rxrpc traffic with firewall rules to prevent exploitation.
  • Verify that any network appliances or services interacting with rxrpc are configured to avoid passing packets with externally shared fragments to the kernel.

Generated by OpenCVE AI on May 11, 2026 at 10:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4572-1 linux security update
Debian DLA Debian DLA DLA-4574-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6253-1 linux security update
Debian DSA Debian DSA DSA-6258-1 linux security update
History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-123
CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:5.3:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.3:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.3:rc8:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 11 May 2026 09:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Mon, 11 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.
Title rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T06:26:45.838Z

Reserved: 2026-05-01T14:12:56.014Z

Link: CVE-2026-43500

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T08:16:16.077

Modified: 2026-05-11T12:17:27.930

Link: CVE-2026-43500

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-07T00:00:00Z

Links: CVE-2026-43500 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T10:15:34Z

Weaknesses