CVE-2026-43039 Overview
CVE-2026-43039 is a Linux kernel vulnerability in the Texas Instruments ICSSG PRUETH network driver. The flaw resides in the emac_dispatch_skb_zc() function used for zero-copy receive (ZC RX) dispatch. The function allocates a new socket buffer with napi_alloc_skb() but never copies packet data from the XDP buffer into it. The resulting skb is passed up the network stack containing uninitialized kernel heap memory, leaking kernel data to userspace. A second defect incorrectly marks the skb for page_pool recycling, corrupting page_pool state when freed.
Critical Impact
Attackers receiving network traffic on affected TI ICSSG interfaces can read uninitialized kernel heap contents and trigger page_pool state corruption, enabling information disclosure and potential memory subsystem instability.
Affected Products
- Linux kernel versions containing the icssg-prueth driver with ZC RX dispatch support
- Systems using Texas Instruments ICSSG (Industrial Communication Subsystem Gigabit) Ethernet controllers
- Embedded and industrial devices built on TI Sitara processors leveraging PRU-ICSS Ethernet
Discovery Timeline
- 2026-05-01 - CVE-2026-43039 published to NVD
- 2026-05-03 - Last updated in NVD database
Technical Details for CVE-2026-43039
Vulnerability Analysis
The defect lives in the zero-copy receive path of the icssg-prueth driver. The function emac_dispatch_skb_zc() is responsible for delivering packets received via XDP buffers to the network stack when an XDP program returns XDP_PASS or otherwise hands the frame back to the kernel.
The function calls napi_alloc_skb() to allocate a new skb, but omits the required skb_copy_to_linear_data() step. As a result, the skb data area still contains whatever heap contents the NAPI page frag allocator returned. The kernel then forwards that buffer up the stack as if it were the received packet.
A second issue compounds the problem. The code calls skb_mark_for_recycle() on the skb, but the buffer is backed by the NAPI page frag allocator, not page_pool. When the stack later frees the skb, the recycle path returns pages to a page_pool that does not own them, corrupting page_pool accounting state.
Root Cause
The root cause is two coding errors in the ZC RX dispatch handler: a missing data copy from the XDP buffer into the freshly allocated skb (Uninitialized Memory Use), and an incorrect recycle marker applied to a non-page_pool buffer. The non-ZC path emac_rx_packet() avoids both issues by using napi_build_skb() to wrap the existing page_pool page directly.
Attack Vector
An attacker on the network sends frames to a host using the affected icssg-prueth interface in zero-copy mode. Each delivered frame causes the kernel to expose uninitialized heap memory to userspace receivers and to mismanage page_pool reference counts. Repeated traffic amplifies both the leakage rate and the probability of allocator state corruption.
No verified public exploit code is available. See the upstream fixes at Kernel Git Commit 5597dd2 and Kernel Git Commit a968438d for technical details.
Detection Methods for CVE-2026-43039
Indicators of Compromise
- Unexpected page_pool warnings in kernel logs referencing icssg-prueth, such as messages from page_pool_release_retry or refcount mismatches.
- Anomalous packet payloads received by userspace consumers on TI ICSSG interfaces, including data that does not match wire captures taken in parallel.
- Kernel memory subsystem warnings or WARN_ON traces tied to NAPI page frag allocations during heavy ZC RX traffic.
Detection Strategies
- Audit running kernels for the icssg-prueth driver and confirm whether ZC RX dispatch is enabled on the platform.
- Compare the in-tree driver source against the fix commits to verify whether skb_copy_to_linear_data() is present and skb_mark_for_recycle() has been removed from the ZC path.
- Use packet capture on adjacent hosts to compare frame contents with what userspace receives, identifying mismatches that indicate stale heap data.
Monitoring Recommendations
- Forward kernel ring buffer (dmesg) and journald logs to a centralized analytics platform and alert on page_pool, icssg, and NAPI-related warnings.
- Track interface counters and NAPI poll statistics on devices using TI ICSSG Ethernet to detect abnormal packet drop or recycle behavior.
- Continuously inventory kernel versions across embedded and industrial fleets to identify hosts running unpatched icssg-prueth builds.
How to Mitigate CVE-2026-43039
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in Kernel Git Commit 5597dd2 and Kernel Git Commit a968438d to all affected systems.
- Disable XDP / zero-copy receive on icssg-prueth interfaces until patched kernels are deployed.
- Restrict network exposure of devices that rely on TI ICSSG Ethernet to trusted segments only.
Patch Information
The vulnerability is fixed by adding skb_copy_to_linear_data() to copy XDP buffer contents into the newly allocated skb and by removing the erroneous skb_mark_for_recycle() call from emac_dispatch_skb_zc(). Backports should be applied to any stable kernel branch that includes the icssg-prueth ZC RX dispatch logic. Vendors shipping TI Sitara based platforms should issue firmware or kernel updates incorporating both commits.
Workarounds
- Where patching is not immediately possible, detach XDP programs from icssg-prueth interfaces using ip link set dev <iface> xdp off to force the non-ZC code path, which is unaffected.
- Place affected industrial devices behind segmentation boundaries that prevent untrusted hosts from sending traffic to the vulnerable interface.
- Monitor page_pool health metrics and reboot devices showing recycle-related kernel warnings to clear corrupted allocator state until the patched kernel is installed.
# Configuration example: disable XDP on an icssg-prueth interface as a workaround
sudo ip link set dev eth0 xdp off
sudo ethtool -i eth0 | grep driver # confirm driver: icssg-prueth
uname -r # verify kernel version before/after patch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
