Cyber Resilience

CVE-2026-43284

HighPublic PoCUpdated

Published: 08 May 2026

Published
08 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9324 99.8th percentile
Risk Priority 80 floored blend · peak EPSS

Summary

CVE-2026-43284 is a high-severity Write-what-where Condition (CWE-123) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

The vulnerability is a write-what-where flaw (CWE-123) in the Linux kernel's XFRM/ESP input path. When MSG_SPLICE_PAGES attaches pipe pages to a UDP datagram skb, the IPv4/IPv6 datagram splice code omitted the SKBFL_SHARED_FRAG flag that TCP sets after skb_splice_from_iter. ESP therefore treated the skb as an ordinary uncloned nonlinear buffer, took the no-COW fast path, and performed in-place decryption over memory the skb did not own.

A local attacker with the ability to send UDP packets that traverse ESP can supply such shared fragments and cause the kernel to corrupt arbitrary memory during decryption, yielding full confidentiality, integrity, and availability impact on the host (CVSS 8.8, local, no user interaction required). The flaw affects any kernel using ESP-over-UDP with pipe-backed skbs; remote exploitation is not described.

The referenced stable commits (50ed1e787310, 52646cbd00e7, 5d55c7336f80, 71a1d9d985d2, 8253aab4659c) implement the fix by setting SKBFL_SHARED_FRAG on IPv4/IPv6 datagram splice paths and forcing ESP input to call skb_cow_data when the flag is present. ESP output paths were left unchanged because they are already unreachable for nonlinear skbs.

EPSS rose from a low baseline to a peak of 0.3845 (current 0.2634), indicating that exploitation interest increased after disclosure.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later…

more

paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CWE-123 write-what-where in kernel ESP decryption path enables local privilege escalation via crafted skb handling.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31474Same product: Linux Linux Kernel
CVE-2026-31516Same product: Linux Linux Kernel
CVE-2024-57792Same product: Linux Linux Kernel
CVE-2026-23326Same product: Linux Linux Kernel
CVE-2026-23280Same product: Linux Linux Kernel
CVE-2025-71123Same product: Linux Linux Kernel
CVE-2026-31570Same product: Linux Linux Kernel
CVE-2026-23288Same product: Linux Linux Kernel
CVE-2026-23014Same product: Linux Linux Kernel
CVE-2022-49275Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.11 — 5.10.255 · 5.12 — 5.15.205 · 5.16 — 6.1.171

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Forces private copies of shared skb fragments before ESP in-place decryption, directly blocking the write-what-where corruption on externally backed memory.

prevent

Isolates kernel packet-processing memory regions so that ESP input cannot modify pipe-backed pages not owned by the skb.

prevent

Requires separation of the ESP cryptographic input path from untrusted shared buffer handling, limiting the blast radius of the missing SKBFL_SHARED_FRAG check.

References