cbcvebase.
CVE-2026-43500
published 2026-05-11

CVE-2026-43500: In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet…

PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
92.77%
99.8th percentile
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.

Affected

68 ranges· showing 25
VendorProductVersion rangeFixed in
linuxlinux
linuxlinux>= d0d5c0cd1e711c98703f3544c1e6fc1372898de5 < 7c504ffab3efce8f7e4f463b314ae31030bdf18b7c504ffab3efce8f7e4f463b314ae31030bdf18b
linuxlinux>= d0d5c0cd1e711c98703f3544c1e6fc1372898de5 < 3711382a77342a9a1c3d2e7330dcfc7ea927f5683711382a77342a9a1c3d2e7330dcfc7ea927f568
linuxlinux>= d0d5c0cd1e711c98703f3544c1e6fc1372898de5 < 3eae0f4f9f7206a4801efa5e0235c25bbd5a412c3eae0f4f9f7206a4801efa5e0235c25bbd5a412c
linuxlinux>= d0d5c0cd1e711c98703f3544c1e6fc1372898de5 < d45179f8795222ce858770dc619abe51f9d24411d45179f8795222ce858770dc619abe51f9d24411
linuxlinux>= d0d5c0cd1e711c98703f3544c1e6fc1372898de5 < aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71
linuxlinux_kernel< 6.18.296.18.29
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel>= 6.19 < 7.0.67.0.6
ubuntulinux
ubuntulinux-aws
ubuntulinux-aws-5.15
ubuntulinux-aws-5.4
ubuntulinux-aws-6.17
ubuntulinux-aws-6.8
ubuntulinux-aws-fips
ubuntulinux-azure
ubuntulinux-azure-5.15
ubuntulinux-azure-5.4
ubuntulinux-azure-6.17

Detection & IOCsextracted from sources · hover to see the quote

path/etc/modprobe.d/dirtyfrag.conf
path/etc/modprobe.d/dirtyfrag-mitigation.conf
commandrmmod esp4 esp6 rxrpc
commandlsmod | grep -E "esp4|esp6|rxrpc"
processesp4
processesp6
processrxrpc
  • CVE-2026-43500 is the RxRPC Page-Cache Write sub-vulnerability of 'Dirty Frag'. Detect exploitation by monitoring for in-place crypto operations on skbs carrying externally-owned paged fragments (skb_has_frag_list() or skb_has_shared_frag() true) in the rxrpc subsystem, particularly via splice() into a UDP socket.
  • Monitor for unexpected modifications to page-cache-backed read-only files such as /etc/passwd and /usr/bin/su in RAM (on-disk file unchanged, but in-memory copy differs). Use integrity monitoring tools that check live memory-mapped file content, not just on-disk hashes.
  • Detect exploit activity by monitoring unprivileged processes making splice() syscalls in combination with rxrpc or UDP socket operations, especially when followed by privilege escalation (uid 0 process spawned from non-root parent).
  • A public Metasploit module exists for CVE-2026-43500 (RxRPC Page-Cache Write). Hunt for execution of Metasploit-generated payloads or the module path linux/local/cve_2026_43284_dirty_frag on compromised hosts.
  • Monitor for creation of /etc/modprobe.d/dirtyfrag.conf or /etc/modprobe.d/dirtyfrag-mitigation.conf as indicators that a system administrator has applied the Dirty Frag mitigation (useful for compliance/coverage tracking).
  • In containerized environments, monitor for unexpected writes to base layer binaries (e.g., /usr/bin/su) from within a container, which may indicate an attempt to exploit Dirty Frag for container escape.
  • The exploit is deterministic (no race condition required), making it highly reliable. Behavioral detections should not rely solely on timing anomalies; instead focus on the splice() + rxrpc/UDP socket combination and subsequent uid change.
  • ·Disabling esp4/esp6 kernel modules will break IPsec ESP functionality (VPN tunnels, IPsec-encrypted communications). Assess operational impact before applying this mitigation.
  • ·Disabling the rxrpc kernel module will break AFS (Andrew File System) distributed filesystem functionality.
  • ·CVE-2026-43500 affects the RxRPC subsystem introduced circa 2023; the paired CVE-2026-43284 (xfrm-ESP) dates to ~2017. Both must be chained for reliable full root escalation — neither alone provides a sufficiently reliable primitive.
  • ·The vulnerability was disclosed before embargo expiration due to reverse engineering of the fix commit by an unrelated third party, meaning patches may not be universally available at time of disclosure.
  • ·The exploit requires CAP_NET_ADMIN capability in addition to local access on some configurations; verify whether user namespaces are enabled (user.max_user_namespaces > 0) as this may lower the bar for exploitation.
  • ·On-disk file integrity checks (e.g., hashing /usr/bin/su on disk) will NOT detect exploitation, as the corruption is purely in RAM page cache. Only in-memory integrity verification will catch active exploitation.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
vendor_ubuntu8.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.