CVE-2026-43500

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A local privilege escalation issue exists in the RxRPC subsystem of the Linux kernel due to page-cache corruption via sk buff fragments. The DATA-packet handler in rxrpc input call event() and the RESPONSE handler in rxrpc verify response() only copy the socket buffer (skb) to a linear one when skb cloned() is true. If an skb is not cloned but contains externally-owned paged fragments (such as those set by splice() into a UDP socket via ip append data or a chained skb has frag list()), it enters the in-place decryption path. This path binds frag pages directly into the AEAD/skcipher SGL via skb to sgvec(). This flaw allows an unprivileged local user to write data to the page cache, potentially leading to root privilege escalation or a denial of service via buffer overflow.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.