CVE-2026-43284
Published: 08 May 2026
Summary
CVE-2026-43284 is a high-severity Write-what-where Condition (CWE-123) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Deeper analysis
The vulnerability is a write-what-where flaw (CWE-123) in the Linux kernel's XFRM/ESP input path. When MSG_SPLICE_PAGES attaches pipe pages to a UDP datagram skb, the IPv4/IPv6 datagram splice code omitted the SKBFL_SHARED_FRAG flag that TCP sets after skb_splice_from_iter. ESP therefore treated the skb as an ordinary uncloned nonlinear buffer, took the no-COW fast path, and performed in-place decryption over memory the skb did not own.
A local attacker with the ability to send UDP packets that traverse ESP can supply such shared fragments and cause the kernel to corrupt arbitrary memory during decryption, yielding full confidentiality, integrity, and availability impact on the host (CVSS 8.8, local, no user interaction required). The flaw affects any kernel using ESP-over-UDP with pipe-backed skbs; remote exploitation is not described.
The referenced stable commits (50ed1e787310, 52646cbd00e7, 5d55c7336f80, 71a1d9d985d2, 8253aab4659c) implement the fix by setting SKBFL_SHARED_FRAG on IPv4/IPv6 datagram splice paths and forcing ESP input to call skb_cow_data when the flag is present. ESP output paths were left unchanged because they are already unreachable for nonlinear skbs.
EPSS rose from a low baseline to a peak of 0.3845 (current 0.2634), indicating that exploitation interest increased after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28535
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later…
more
paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-123 write-what-where in kernel ESP decryption path enables local privilege escalation via crafted skb handling.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Forces private copies of shared skb fragments before ESP in-place decryption, directly blocking the write-what-where corruption on externally backed memory.
Isolates kernel packet-processing memory regions so that ESP input cannot modify pipe-backed pages not owned by the skb.
Requires separation of the ESP cryptographic input path from untrusted shared buffer handling, limiting the blast radius of the missing SKBFL_SHARED_FRAG check.