CVE-2026-43284 Overview
CVE-2026-43284 is a Linux kernel vulnerability in the xfrm ESP (Encapsulating Security Payload) input path. The flaw allows in-place decryption of shared socket buffer (skb) fragments when ESP-in-UDP packets are constructed from pipe-backed pages via MSG_SPLICE_PAGES. The IPv4/IPv6 datagram append paths failed to set the SKBFL_SHARED_FRAG flag, causing ESP input to misidentify externally backed frags as private skb data. A local attacker with low privileges can corrupt memory shared outside the skb, impacting confidentiality, integrity, and availability.
Critical Impact
A local low-privileged user can leverage shared pipe-backed pages spliced into UDP skbs to trigger ESP in-place decryption over memory not owned by the skb, enabling memory corruption across security boundaries in containerized environments.
Affected Products
- Linux Kernel (multiple stable branches prior to fix commits)
- Distributions shipping vulnerable kernels with CONFIG_XFRM and ESP-in-UDP enabled
- Container orchestration platforms relying on affected kernels (e.g., Kubernetes nodes)
Discovery Timeline
- 2026-05-08 - CVE-2026-43284 published to NVD
- 2026-05-08 - Initial Openwall oss-security disclosure posted
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-43284
Vulnerability Analysis
The vulnerability resides in how the Linux kernel handles non-linear skbs containing pipe-spliced page fragments during ESP decryption. MSG_SPLICE_PAGES allows pages from a pipe to be attached directly to an skb without copying. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), signaling later code paths to perform copy-on-write before modifying packet data. The IPv4 and IPv6 datagram append paths used for UDP construction omitted this flag.
When an ESP-in-UDP packet is built from shared pipe pages, the resulting skb appears as an uncloned non-linear skb to ESP input. The ESP receive path then selects the no-COW fast path intended for privately owned uncloned skbs without a frag_list. Decryption proceeds in place, writing plaintext over memory regions that may still be referenced through the originating pipe or other consumers. This corrupts data outside the skb's ownership domain and undermines isolation guarantees [CWE-123].
Root Cause
The defect is a missing flag assignment in __ip_append_data() and __ip6_append_data() when splicing pages into UDP skbs. Without SKBFL_SHARED_FRAG, downstream code cannot distinguish externally backed frags from private frags, and ESP input's optimization assumption breaks.
Attack Vector
A local attacker with the ability to open an IPsec/xfrm transform and send UDP datagrams via sendmsg(MSG_SPLICE_PAGES) from a pipe-backed buffer can stage shared pages and trigger ESP decryption to overwrite them. In container environments, this crosses tenant boundaries when shared page caches or host-owned memory are reachable.
# Proof-of-concept reference (Kubernetes container)
public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-iptables:2026-03-11-1773190710.2023
# Source: https://github.com/Percivalll/Dirty-Frag-Kubernetes-PoC
Detection Methods for CVE-2026-43284
Indicators of Compromise
- Unexpected kernel oops or memory corruption reports originating in esp_input(), esp6_input(), or skb_cow_data() call stacks.
- Processes invoking sendmsg() with MSG_SPLICE_PAGES against UDP sockets configured with an xfrm ESP transform on the loopback or local interfaces.
- Container workloads loading the xfrm_user module or creating IPsec SAs without operational need.
Detection Strategies
- Audit setsockopt and xfrm netlink calls correlated with vmsplice/splice syscalls from unprivileged containers.
- Hunt for kernel ring buffer messages referencing ESP authentication failures or unexpected packet decryption errors following splice activity.
- Monitor for execution of public proof-of-concept artifacts referenced in the Dirty-Frag Kubernetes PoC and DirtyFrag PoC.
Monitoring Recommendations
- Enable kernel auditing (auditd) for xfrm_add_sa, xfrm_new_policy, and unusual splice/vmsplice patterns from container workloads.
- Collect kernel logs centrally and alert on esp or xfrm subsystem warnings.
- Track Linux kernel package versions across fleet to identify hosts running pre-patch builds.
How to Mitigate CVE-2026-43284
Immediate Actions Required
- Apply the upstream kernel patches identified by commits 50ed1e78, 52646cbd, 5d55c733, 71a1d9d9, a6cb440f, ab8b9953, and b54edf1e from the kernel.org stable tree.
- Update to the latest stable kernel release provided by your Linux distribution vendor.
- Restrict unprivileged container access to xfrm netlink and CAP_NET_ADMIN where feasible.
Patch Information
The fix marks IPv4 and IPv6 datagram splice frags with SKBFL_SHARED_FRAG to match TCP behavior. It also modifies ESP input to fall back to skb_cow_data() when the flag is present, preserving the fast path only for privately owned non-linear skb frags. Refer to the upstream commits for the full patch series.
Workarounds
- Disable ESP-in-UDP encapsulation on hosts that do not require it by unloading xfrm_user and esp4/esp6 modules.
- Apply seccomp or AppArmor profiles to container workloads blocking splice, vmsplice, and xfrm netlink operations.
- Drop CAP_NET_ADMIN from container runtime defaults and enforce user namespace isolation.
# Block xfrm and esp modules until patched
echo "install xfrm_user /bin/true" | sudo tee /etc/modprobe.d/disable-xfrm.conf
echo "install esp4 /bin/true" | sudo tee -a /etc/modprobe.d/disable-xfrm.conf
echo "install esp6 /bin/true" | sudo tee -a /etc/modprobe.d/disable-xfrm.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
