CVE-2026-43092
Description
In the Linux kernel, the following vulnerability has been resolved:
xsk: validate MTU against usable frame size on bind
AF_XDP bind currently accepts zero-copy pool configurations without verifying that the device MTU fits into the usable frame space provided by the UMEM chunk.
This becomes a problem since we started to respect tailroom which is subtracted from chunk_size (among with headroom). 2k chunk size might not provide enough space for standard 1500 MTU, so let us catch such settings at bind time. Furthermore, validate whether underlying HW will be able to satisfy configured MTU wrt XSK's frame size multiplied by supported Rx buffer chain length (that is exposed via net_device::xdp_zc_max_segs).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AF_XDP bind in the Linux kernel lacked MTU vs. usable frame size validation, allowing zero-copy configs with insufficient space for standard 1500-byte packets.
Vulnerability
Description
The AF_XDP socket implementation in the Linux kernel failed to validate whether a device's MTU fits within the usable frame space of a UMEM chunk at bind time. When tailroom and headroom are subtracted from the chunk size, a 2 kiB chunk may not provide enough room for a standard 1500-byte MTU, leading to potential buffer overflows or data corruption during zero-copy packet processing [1][2][4].
Attack
Vector and Prerequisites
An attacker would need the ability to set up AF_XDP sockets with zero-copy mode on a system, which typically requires CAP_NET_RAW or equivalent privileges. By binding an XSK to a device with an MTU larger than the usable frame size derived from the UMEM chunk, the kernel would proceed without rejecting the configuration, enabling out-of-bounds memory access when packets are received [3].
Impact
Successful exploitation could result in memory corruption, leading to system instability or information disclosure. An attacker could potentially corrupt adjacent UMEM regions or kernel memory, depending on the hardware's Rx buffer chain length and the configured MTU [1][2].
Mitigation
The fix adds validation during bind against both the MTU and the maximum segment count exposed via net_device::xdp_zc_max_segs. This ensures any zero-copy mapping that cannot accommodate the configured MTU is rejected early. The patch has been backported to stable kernel trees [1][2][3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/25e1e91a8da819924df0b16e3812d7b24c8ce133nvdPatch
- git.kernel.org/stable/c/36ee60b569ba0dfb6f961333b90d19ab5b323fa9nvdPatch
- git.kernel.org/stable/c/a55793e5a97d4e39bdb380873a9780fe0010bff6nvdPatch
- git.kernel.org/stable/c/b2f4daa6422fd6cc0cec969794dab4a88ea4cea1nvdPatch
- git.kernel.org/stable/c/f669d60db11dbabb96279f2b20f9d1cba43cddb2nvdPatch
News mentions
0No linked articles in our index yet.