CVE-2026-43500
Published: 11 May 2026
Summary
CVE-2026-43500 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2026-43500 is an out-of-bounds write (CWE-787) in the Linux kernel's rxrpc subsystem. The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() only copy an skb to a linear buffer before invoking security operations when skb_cloned() is true. Packets carrying externally owned paged fragments—such as those with SKBFL_SHARED_FRAG set via splice() into a UDP socket or chained via skb_has_frag_list()—bypass this path and reach in-place AEAD/skcipher decryption through skb_to_sgvec(), binding shared frag pages directly into the scatter-gather list.
A local attacker with low privileges can trigger the flaw by delivering RXRPC DATA or RESPONSE packets that contain such shared fragments, or by using splice() and related socket operations to introduce them. Successful exploitation results in memory corruption that can yield arbitrary code execution or privilege escalation on the affected system.
Patches merged into mainline and stable kernels extend the unshare gate to also test skb_has_frag_list() and skb_has_shared_frag(), preserving the zero-copy fast path only for kernel-private fragments such as those from page_pool or GRO while reusing existing OOM and trace handling.
The associated EPSS score has risen to a peak of 0.4354 (current 0.4027), indicating material post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-29037
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling…
more
into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel memory corruption (CWE-787) in network packet path enables local/remote privilege escalation via crafted RXRPC traffic or splice vectors.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.