CVE-2026-43284

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the xfrm-ESP and RxRPC subsystems of the Linux kernel involving unsafe in-place cryptographic processing of shared socket buffer fragments. Specifically, when MSG SPLICE PAGES attaches pages from a pipe directly to an skb, the IPv4/IPv6 datagram append paths fail to set the SKBFL SHARED FRAG flag when splicing pages into UDP skbs. This causes ESP-in-UDP packets made from shared pipe pages to be treated as ordinary uncloned nonlinear skbs, leading the ESP input to use a no-COW fast path and decrypt in place over data not privately owned by the skb. This out-of-bounds operation allows a low-privileged local attacker to corrupt page-cache contents of readable files, including sensitive system files, potentially resulting in root privilege escalation. The xfrm-ESP variant requires the creation of an unprivileged user or network namespace, while the RxRPC variant requires the rxrpc module to be available on the target system.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.