Cyber Resilience

CVE-2026-43500

High

Published: 11 May 2026

Published
11 May 2026
Modified
17 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4027 97.4th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-43500 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2026-43500 is an out-of-bounds write (CWE-787) in the Linux kernel's rxrpc subsystem. The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() only copy an skb to a linear buffer before invoking security operations when skb_cloned() is true. Packets carrying externally owned paged fragments—such as those with SKBFL_SHARED_FRAG set via splice() into a UDP socket or chained via skb_has_frag_list()—bypass this path and reach in-place AEAD/skcipher decryption through skb_to_sgvec(), binding shared frag pages directly into the scatter-gather list.

A local attacker with low privileges can trigger the flaw by delivering RXRPC DATA or RESPONSE packets that contain such shared fragments, or by using splice() and related socket operations to introduce them. Successful exploitation results in memory corruption that can yield arbitrary code execution or privilege escalation on the affected system.

Patches merged into mainline and stable kernels extend the unshare gate to also test skb_has_frag_list() and skb_has_shared_frag(), preserving the zero-copy fast path only for kernel-private fragments such as those from page_pool or GRO while reusing existing OOM and trace handling.

The associated EPSS score has risen to a peak of 0.4354 (current 0.4027), indicating material post-disclosure exploitation interest.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling…

more

into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Kernel memory corruption (CWE-787) in network packet path enables local/remote privilege escalation via crafted RXRPC traffic or splice vectors.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.3, 7.1 · 5.3 — 6.18.29 · 6.19 — 7.0.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References