CVE-2026-43500

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the RxRPC module due to incorrect handling of fragmented packets and data copying mechanisms in socket buffers. The DATA-packet handler in rxrpc input call event() and the RESPONSE handler in rxrpc verify response() only copy the socket buffer (skb) to a linear one when skb cloned() is true. If an skb is not cloned but contains externally-owned paged fragments—such as those set by splice() into a UDP socket via ip append data or a chained skb has frag list()—it proceeds to the in-place decryption path. This path binds the fragment pages directly into the AEAD/skcipher SGL (Scatter-Gather List) via skb to sgvec(). This flaw can be exploited to cause a denial of service.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.