HIGH
xsk UMEM Headroom OOB
CVE-2026-43093
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: xsk: tighten UMEM headroom validation to account for tailroom and min frame The current headroom validation in xdp_umem_reg() could leave us with insufficient space dedicated to even receive minimum-sized ethernet frame. Furthermore if multi-buffer would come to play then skb_shared_info stored at the end of XSK frame would be corrupted. HW typically works with 128-aligned sizes so let us provide this value as bare minimum. Multi-buffer setting is known later in the configuration process so besides accounting for 128 bytes, let us also take care of tailroom space upfront.
02KernelScan AI Analysis
Risk summary
Local attackers with low privileges can trigger out-of-bounds writes in XDP socket UMEM buffers, potentially leading to kernel memory corruption and privilege escalation. Systems using XDP sockets for high-performance networking are at risk.
Vulnerability analysis
The vulnerability stems from insufficient validation of user-supplied headroom size in xdp_umem_reg(). The original validation only checked that headroom was less than chunk_size minus XDP_PACKET_HEADROOM, but failed to account for tailroom space needed for skb_shared_info structure and minimum frame alignment requirements. This allows malicious users to configure headroom values that leave insufficient space for packet data, causing out-of-bounds writes when packets are received. The fix tightens the validation by subtracting additional space for skb_shared_info (SKB_DATA_ALIGN(sizeof(struct skb_shared_info))) and a 128-byte minimum alignment requirement from the available chunk space.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 4.20 | 4.20 | 5f123bc278bf |
| 5.10 | 5.10.258 | a03975beb9f6 |
| 5.15 | 5.15.209 | 0ec4d3f6e693 |
| 5.5 | 5.5 | 1a6051cd7e3e |
| 5.7 | 5.7 | 8769708add9e |
| 6.1 | 6.1.175 | 9ea6ba4f3195 |
| 6.12 | 6.12.83 | a315e022a72d |
| 6.18 | 6.18.24 | — |
| 6.19 | 6.19.14 | — |
| 6.6 | 6.6.136 | 6523bc1b40e6 |
| mainline | 7.0 | — |