CVE-2026-43500

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the RxRPC subsystem of the Linux kernel involving the incorrect handling of fragmented packets and data copying mechanisms in socket buffers. Specifically, the DATA-packet handler in rxrpc input call event() and the RESPONSE handler in rxrpc verify response() only copy the socket buffer (skb) to a linear one when skb cloned() is true. If an skb is not cloned but contains externally-owned paged fragments—such as those set by splice() into a UDP socket via ip append data or a chained skb has frag list()—it enters the in-place decryption path. This process binds the fragment pages directly into the AEAD/skcipher SGL via skb to sgvec(), which can lead to page-cache corruption. This flaw allows an unprivileged local user to write data into the page cache, potentially resulting in a denial of service or local privilege escalation to root level.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.