CVE-2026-43039
Published: 01 May 2026
Summary
CVE-2026-43039 is a critical-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific flaw in the icssg-prueth driver's ZC RX dispatch via kernel patches, preventing uninitialized memory leaks and page_pool corruption.
Prevents exploitation by disabling or restricting non-essential kernel drivers like icssg-prueth, avoiding the vulnerable zero-copy RX path.
Identifies vulnerable systems using the icssg-prueth driver through vulnerability scanning of kernel versions, enabling proactive flaw remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation via crafted packets maps to T1190. Kernel heap leakage and page_pool corruption enable memory disclosure and potential privilege escalation (T1068).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RX dispatch emac_dispatch_skb_zc() allocates a new skb via napi_alloc_skb() but never copies the packet data from the XDP…
more
buffer into it. The skb is passed up the stack containing uninitialized heap memory instead of the actual received packet, leaking kernel heap contents to userspace. Copy the received packet data from the XDP buffer into the skb using skb_copy_to_linear_data(). Additionally, remove the skb_mark_for_recycle() call since the skb is backed by the NAPI page frag allocator, not page_pool. Marking a non-page_pool skb for recycle causes the free path to return pages to a page_pool that does not own them, corrupting page_pool state. The non-ZC path (emac_rx_packet) does not have these issues because it uses napi_build_skb() to wrap the existing page_pool page directly, requiring no copy, and correctly marks for recycle since the page comes from page_pool_dev_alloc_pages().
Deeper analysisAI
CVE-2026-43039 is a critical vulnerability in the Linux kernel's ti: icssg-prueth driver, which handles Ethernet functionality for Texas Instruments Industrial Communication Subsystem Switch Gigabit (ICSSG) PRU Ethernet. The issue affects the zero-copy (ZC) RX dispatch path in emac_dispatch_skb_zc(), where a new socket buffer (skb) is allocated via napi_alloc_skb() but the packet data from the XDP buffer is not copied into it. As a result, the skb passed up the network stack to userspace contains uninitialized kernel heap memory instead of the actual received packet data, enabling leakage of kernel heap contents. Additionally, an incorrect skb_mark_for_recycle() call is made on an skb backed by the NAPI page frag allocator rather than a page_pool, leading to page_pool state corruption during freeing.
Remote attackers can exploit this vulnerability over the network with no privileges required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), targeting systems using the icssg-prueth driver. By sending crafted packets that trigger the ZC RX path, attackers can receive skbs filled with leaked kernel heap memory in userspace applications processing network traffic, potentially exposing sensitive kernel data such as pointers, credentials, or other heap-allocated structures. The page_pool corruption from improper recycling can further enable denial-of-service via kernel crashes or memory corruption, and may facilitate privilege escalation or additional exploits by destabilizing memory management.
The provided kernel patches at https://git.kernel.org/stable/c/5597dd284ff8c556c0b00f6a34473677426e3f81 and https://git.kernel.org/stable/c/a968438d4fc17ee1dcdc3cfa490dcb5e7709cf76 resolve the issues by explicitly copying packet data from the XDP buffer to the skb using skb_copy_to_linear_data() and removing the erroneous skb_mark_for_recycle() call. Security practitioners should update to kernels incorporating these fixes, verify systems using the icssg-prueth driver (common in embedded or industrial TI-based networking setups), and monitor network traffic for anomalies indicative of exploitation attempts.
Details
- CWE(s)