CVE-2026-43500 Overview
CVE-2026-43500 is an out-of-bounds write vulnerability [CWE-787] in the Linux kernel's rxrpc subsystem. The flaw resides in the DATA and RESPONSE packet handlers, which only copy socket buffers (skb) to a linear form before invoking security operations when skb_cloned() returns true. Socket buffers carrying externally-owned paged fragments, including those produced by splice() into a UDP socket via __ip_append_data, bypass this check and reach the in-place decryption path. The AEAD/skcipher scatter-gather list then binds frag pages directly through skb_to_sgvec(), enabling memory corruption. A proof-of-concept named dirtyfrag is publicly available on GitHub.
Critical Impact
A local attacker with low privileges can corrupt kernel memory through crafted splice-loopback traffic, leading to privilege escalation or kernel compromise.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 5.3 (including rc7, rc8)
- Linux Kernel 7.1 (including rc1, rc2)
Discovery Timeline
- 2026-05-11 - CVE-2026-43500 published to NVD
- 2026-05-17 - Last updated in NVD database
Technical Details for CVE-2026-43500
Vulnerability Analysis
The rxrpc subsystem implements the Rx remote procedure call protocol used by AFS. Inside rxrpc_input_call_event() and rxrpc_verify_response(), the kernel copies the incoming skb into a linear buffer before invoking the security operations. This unshare step is gated solely on skb_cloned(). When a socket buffer is not cloned but still references externally-owned page fragments, the gate does not trigger.
Such externally-shared fragments arise when splice() feeds data into a UDP socket via __ip_append_data, which sets the SKBFL_SHARED_FRAG flag. They also appear when a chained skb_has_frag_list() structure is present. The kernel proceeds to in-place decryption, mapping these foreign pages into the AEAD/skcipher scatter-gather list using skb_to_sgvec(). The cryptographic transform then writes plaintext back into pages that the attacker still controls and can mutate, producing a race-prone out-of-bounds write into memory the rxrpc path did not allocate.
Root Cause
The gating condition is incomplete. Only skb_cloned() is checked, ignoring shared paged fragments and frag lists. The fix extends the unshare gate to also fire when skb_has_frag_list() or skb_has_shared_frag() evaluates true, forcing a private linear copy before the crypto SGL is built.
Attack Vector
A local user creates a UDP socket bound to an rxrpc endpoint and uses splice() to attach attacker-controlled pages as shared fragments. The user transmits DATA or RESPONSE packets back to the local rxrpc listener. The in-place decryption operates on the still-shared pages, allowing concurrent modification by the attacker to interfere with the cryptographic state and corrupt kernel memory. The published dirtyfrag proof-of-concept demonstrates this splice-loopback technique. See the GitHub PoC Repository for technical details on the exploitation primitive.
Detection Methods for CVE-2026-43500
Indicators of Compromise
- Local processes invoking splice() against UDP sockets associated with rxrpc/AFS endpoints on hosts that do not run AFS workloads.
- Unexpected kernel oops, slab corruption, or KASAN reports referencing rxrpc_input_call_event, rxrpc_verify_response, or skb_to_sgvec.
- Presence of the dirtyfrag binary or build artifacts cloned from the public proof-of-concept repository.
Detection Strategies
- Audit installed kernel versions across the fleet and flag systems running kernels predating the patch commits 3eae0f4f, aa54b1d2, and d45179f8.
- Monitor kernel ring buffer (dmesg) for crashes and warnings in the rxrpc input path, which indicate exploitation attempts or instability.
- Use eBPF or auditd rules to record splice(2) syscalls targeting UDP socket file descriptors by non-AFS workloads.
Monitoring Recommendations
- Forward kernel logs and process telemetry to a centralized analytics platform for correlation of splice() activity with crash signatures.
- Track loading of the rxrpc and kafs kernel modules on hosts that should not require them and alert on unexpected use.
- Baseline local privilege-escalation indicators such as new SUID processes or unexpected uid transitions following rxrpc activity.
How to Mitigate CVE-2026-43500
Immediate Actions Required
- Apply the upstream stable patches to all affected kernels and reboot impacted systems.
- Where patching is not immediately possible, blacklist the rxrpc kernel module on hosts that do not require AFS.
- Restrict local shell access on multi-tenant systems and verify that untrusted users cannot load kernel modules.
Patch Information
The fix extends the unshare gate to also trigger when skb_has_frag_list() or skb_has_shared_frag() is true, forcing a linear copy before the security operations execute. The corrected paths preserve the zero-copy fast path for kernel-private fragments such as NIC page_pool RX and GRO. Reference the upstream commits: Kernel Patch Commit 3eae0f4, Kernel Patch Commit aa54b1d, and Kernel Patch Commit d45179f.
Workarounds
- Unload and blacklist the rxrpc module on systems that do not use AFS or kAFS.
- Disable unprivileged module autoloading by setting modules_disabled=1 after boot on hardened hosts.
- Constrain splice() exposure by isolating untrusted local users with seccomp profiles or user namespaces that restrict UDP socket operations.
# Configuration example: blacklist rxrpc and verify patched kernel
echo 'blacklist rxrpc' | sudo tee /etc/modprobe.d/blacklist-rxrpc.conf
sudo rmmod rxrpc 2>/dev/null || true
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
