CVE-2026-43465 Overview
CVE-2026-43465 is a Linux kernel vulnerability in the mlx5 Ethernet driver affecting XDP (eXpress Data Path) multi-buffer fragment counting on striding receive queues (RQs). The flaw lives in the net/mlx5e RX path, where dropped fragments produced by bpf_xdp_pull_data() or bpf_xdp_adjust_tail() are not accounted for on the driver side. This results in negative page pool reference counts when the driver later releases page fragments, triggering kernel warnings and risking memory corruption in the networking subsystem.
Critical Impact
An incorrect fragment count in the mlx5 driver causes page pool reference counting errors, producing kernel warnings and potential memory state corruption on systems running XDP multi-buf programs.
Affected Products
- Linux kernel net/mlx5e driver with striding RQ and XDP multi-buf enabled
- Systems using Mellanox/NVIDIA ConnectX adapters running affected mlx5 driver revisions
- XDP programs invoking bpf_xdp_pull_data() or bpf_xdp_adjust_tail() on mlx5 RX paths
Discovery Timeline
- 2026-05-08 - CVE-2026-43465 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43465
Vulnerability Analysis
The vulnerability resides in mlx5e_skb_from_cqe_mpwrq_nonlinear() within the mlx5 Ethernet driver. XDP multi-buffer programs can change the layout of the XDP buffer at runtime by invoking helpers such as bpf_xdp_pull_data() and bpf_xdp_adjust_tail(). A prior fix corrected an outdated assumption that buffer layout remained static during BPF program execution, but it introduced a regression: fragments dropped by the program are no longer counted by the driver. This breaks page pool fragment reference accounting on striding receive queues.
Root Cause
The mlx5 driver allocates a page pool page with pp_ref_count=64 and an internal fragment counter of 0. When an XDP program drops a tail fragment via bpf_xdp_pull_data(), the driver skips counting that fragment. On RQ teardown, the driver releases all 64 fragments while the page pool reference count is only 63, producing a negative reference count detected in mlx5e_page_release_fragmented(). The same flaw applies to the XDP_PASS path through a separate code branch.
Attack Vector
The issue is triggered when XDP multi-buf programs execute on mlx5 striding RQs and modify buffer layout. Reproducing the bug requires loading an XDP program and sending traffic that causes fragment drops, as demonstrated by the drivers/net/xdp.py selftest test_xdp_native_tx_mb. The defect manifests across XDP_TX, XDP_REDIRECT, and XDP_PASS actions. The upstream fix reverts to counting all original XDP buffer fragments and recalculates the nr_frags parameter passed to xdp_update_skb_frags_info() to reflect the post-program layout.
Detection Methods for CVE-2026-43465
Indicators of Compromise
- Kernel WARNING traces originating from mlx5e_page_release_fragmented in include/net/page_pool/helpers.h:297
- Call stacks containing mlx5e_free_rx_mpwqe, mlx5e_dealloc_rx_mpwqe, and mlx5e_close_rq during MTU changes or interface close events
- Page pool reference counting underflow messages on hosts running XDP multi-buf programs against mlx5 NICs
Detection Strategies
- Monitor dmesg and journalctl -k for warnings referencing page_pool underflow or mlx5e_page_release_fragmented
- Audit loaded BPF programs with bpftool prog show to identify XDP multi-buf programs attached to mlx5 interfaces
- Run the kernel selftest drivers/net/xdp.py (test_xdp_native_tx_mb) against mlx5 hardware to reproduce and confirm the defect
Monitoring Recommendations
- Forward kernel logs to a centralized SIEM and alert on mlx5e_page_release_fragmented warning patterns
- Track ethtool RX statistics and page pool counters for anomalous frag release behavior
- Correlate MTU change, link reconfiguration, and XDP program load events with subsequent kernel warnings
How to Mitigate CVE-2026-43465
Immediate Actions Required
- Apply the upstream mainline and stable kernel patches that restore fragment counting in the mlx5 RX path
- Inventory hosts running mlx5 NICs with XDP multi-buf programs and prioritize them for patching
- Until patched, avoid deploying XDP multi-buf programs that call bpf_xdp_pull_data() or bpf_xdp_adjust_tail() on mlx5 striding RQ interfaces
Patch Information
The fix is committed upstream and backported to stable trees. Reference the kernel commits: Kernel commit 043bd62f748b, Kernel commit 7d7342a18fad, and Kernel commit db25c42c2e1f. Rebuild and reboot affected systems after applying the patch.
Workarounds
- Disable XDP multi-buf programs on mlx5 interfaces until the kernel is patched
- Detach BPF programs from affected interfaces with ip link set dev <iface> xdp off
- Restrict MTU and queue reconfiguration on affected interfaces, as teardown paths trigger the warning
# Detach XDP program from an mlx5 interface as a temporary workaround
ip link set dev eth0 xdp off
# Verify no XDP program is attached
ip link show dev eth0 | grep -i xdp
# List loaded BPF programs to identify XDP multi-buf attachments
bpftool prog show
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
