HIGH
Dirty Frag
CVE-2026-43500
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.
02KernelScan AI Analysis
Risk summary
A local unprivileged user can gain root privileges by corrupting the page cache of critical files (e.g., /usr/bin/su or /etc/passwd). The attack requires user and network namespace creation (user-namespaces), which is typically available to unprivileged users on most distros. A public, fully weaponized proof-of-concept exploit is provided in the disclosure, making the vulnerability immediately exploitable.
Vulnerability analysis
Summary: Two distinct vulnerabilities in the Linux kernel's ESP decryption and RXKAD packet verification allow a local attacker to overwrite any file's page cache with arbitrary content, leading to root escalation.
Root Cause: In both cases, the kernel performs cryptographic operations (decryption/verification) directly on page cache pages that belong to files opened by the attacker, using attacker-supplied input, without properly validating the ownership or offset of the target page.
Attack Surface: The attacks are initiated from a local unprivileged user namespace with network namespace capabilities. The ESP path uses AF_NETLINK XFRM messages to install crafted security associations and then splices file data into a UDP socket with ESP-in-UDP encapsulation. The RXKAD path uses AF_RXRPC with a crafted rxkad key and a manually constructed packet to trigger in-place decryption at a chosen file offset.
Fix Mechanism: The netdev commit referenced in the disclosure (f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4) corrects the ESP handling to avoid unsafe page cache modifications. The RXKAD issue is addressed by an additional patch posted on lore.kernel.org that prevents in-place decryption of unverified data. Distributions are advised to blacklist the esp4, esp6, and rxrpc modules until patches are applied.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.88 | 3711382a7734 |
| 6.18 | 6.18.29 | 3eae0f4f9f72 |
| 6.6 | 6.6.140 | 7c504ffab3ef |
| 7.0 | 7.0.6 | d45179f87952 |
| mainline | 7.1-rc3 | aa54b1d27fe0 |