CVE-2026-43500
Description
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
15cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >5.3,<6.18.29
- cpe:2.3:o:linux:linux_kernel:5.3:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:5.3:rc7:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:5.3:rc8:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
- osv-coords9 versionspkg:apk/chainguard/linux-aws-6.18pkg:apk/chainguard/linux-azure-6.18pkg:apk/chainguard/linux-gcp-6.18pkg:apk/chainguard/linux-qemu-6.18pkg:apk/chainguard/linux-qemu-6.18-bootc-boot-installedpkg:apk/chainguard/linux-qemu-melangepkg:apk/chainguard/linux-qemu-rcpkg:apk/chainguard/linux-vmware-6.18pkg:rpm/opensuse/kernel-source&distro=openSUSE%20Tumbleweed
< 6.18.31-r0+ 8 more
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 7.1_rc3-r0
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 7.0.7-1.1
Patches
Vulnerability mechanics
References
5- git.kernel.org/stable/c/3eae0f4f9f7206a4801efa5e0235c25bbd5a412cnvdPatch
- git.kernel.org/stable/c/aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71nvdPatch
- git.kernel.org/stable/c/d45179f8795222ce858770dc619abe51f9d24411nvdPatch
- git.kernel.org/stable/c/3711382a77342a9a1c3d2e7330dcfc7ea927f568nvd
- git.kernel.org/stable/c/7c504ffab3efce8f7e4f463b314ae31030bdf18bnvd
News mentions
23- ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root AccessSecurityWeek · Jun 29, 2026
- New DirtyClone Linux Vulnerability Allows Attackers to Gain Root Access Via Cloned PacketsCyber Security News · Jun 26, 2026
- New Linux pedit COW Exploit Allows Attackers to Gain System Root AccessCyber Security News · Jun 26, 2026
- New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned PacketsThe Hacker News · Jun 26, 2026
- Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight ModelsThe Hacker News · Jun 9, 2026
- Linux Kernel vulnerability Dirty FragFortinet PSIRT · Jun 3, 2026
- Metasploit Wrap Up 05/29/2026Rapid7 Blog · May 29, 2026
- DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE VulnerabilityThe Hacker News · May 19, 2026
- Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel XFRM ESP-in-TCP privilege escalationTenable Blog · May 14, 2026
- New Fragnesia Flaw Hands Linux Local Users Root AccessInfosecurity Magazine · May 14, 2026
- New Fragnesia Linux flaw lets attackers gain root privilegesBleepingComputer · May 14, 2026
- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026
- 'Dirty Frag' Exploit Poised to Blow Up on Enterprise Linux DistrosDark Reading · May 11, 2026
- Rushed Patches Follow Broken Embargo on New Linux Kernel VulnerabilitiesInfosecurity Magazine · May 11, 2026
- Linux developers weigh emergency “killswitch” for vulnerable kernel functionsHelp Net Security · May 11, 2026
- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026
- Dirty Frag: Linux kernel hit by second major security flaw in two weeksThe Record · May 11, 2026
- New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in AttacksSecurityWeek · May 11, 2026
- Dirty Frag (CVE-2026-43284, CVE-2026-43500): Frequently asked questions about this Linux kernel privilege escalation vulnerability chainTenable Blog · May 8, 2026
- Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag, (Fri, May 8th)SANS Internet Storm Center · May 8, 2026
- Dirty Frag: Unpatched Linux vulnerability delivers root accessHelp Net Security · May 8, 2026
- New Linux 'Dirty Frag' zero-day gives root on all major distrosBleepingComputer · May 8, 2026
- Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major DistributionsThe Hacker News · May 8, 2026