UBUNTU-CVE-2026-43500

Advisory lineage Upstream: 1 Downstream: 10

Upstream

CVE-2026-43500

Downstream

USN-8370-1 USN-8371-1 USN-8373-1 USN-8374-1 USN-8388-1 USN-8389-1

Published: 11 May 2026, 08:16

Last modified:12 Jun 2026, 09:14

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

7.8 HIGH

3.1 (osv_ubuntu)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

11 May 2026, 08:16

Published

Vulnerability first disclosed

12 Jun 2026, 09:14

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.

CVSS Metrics

v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Systems

ubuntu•linux
all | all | all | all | all | < 5.4.0-231.251 | < 5.15.0-181.191 | < 6.8.0-124.124 | < 6.17.0-35.35 | < 7.0.0-22.22
ubuntu•linux-allwinner-5.19
all
ubuntu•linux-aws
all | all | all | all | all | < 5.4.0-1160.170 | < 5.15.0-1109.116 | < 6.8.0-1057.60 | < 6.17.0-1017.17 | < 7.0.0-1006.6
ubuntu•linux-aws-5.0
all
ubuntu•linux-aws-5.11
all
ubuntu•linux-aws-5.13
all
ubuntu•linux-aws-5.15
all | < 5.15.0-1109.116~20.04.1
ubuntu•linux-aws-5.19
all
ubuntu•linux-aws-5.3
all
ubuntu•linux-aws-5.4
all | < 5.4.0-1160.170~18.04.1
ubuntu•linux-aws-5.8
all
ubuntu•linux-aws-6.14
all
ubuntu•linux-aws-6.17
all | < 6.17.0-1017.17~24.04.1
ubuntu•linux-aws-6.2
all
ubuntu•linux-aws-6.5
all
ubuntu•linux-aws-6.8
all | < 6.8.0-1057.60~22.04.1
ubuntu•linux-aws-fips
< 5.4.0-1160.170+fips1 | all | < 5.15.0-1109.116+fips1 | < 6.8.0-1057.60+fips1
ubuntu•linux-aws-hwe
all
ubuntu•linux-azure
all | all | all | all | < 5.4.0-1164.170 | all | < 6.8.0-1058.64 | < 6.17.0-1017.17 | all
ubuntu•linux-azure-4.15
all
ubuntu•linux-azure-5.11
all
ubuntu•linux-azure-5.13
all
ubuntu•linux-azure-5.15
all | < 5.15.0-1114.123~20.04.1
ubuntu•linux-azure-5.19
all
ubuntu•linux-azure-5.3
all
ubuntu•linux-azure-5.4
all | < 5.4.0-1164.170~18.04.1
ubuntu•linux-azure-5.8
all
ubuntu•linux-azure-6.11
all
ubuntu•linux-azure-6.14
all
ubuntu•linux-azure-6.17
all | < 6.17.0-1017.17~24.04.1
ubuntu•linux-azure-6.2
all
ubuntu•linux-azure-6.5
all
ubuntu•linux-azure-6.8
all
ubuntu•linux-azure-edge
all
ubuntu•linux-azure-fde
all | all | all | all | all
ubuntu•linux-azure-fde-5.15
all
ubuntu•linux-azure-fde-5.19
all
ubuntu•linux-azure-fde-6.14
all
ubuntu•linux-azure-fde-6.17
all
ubuntu•linux-azure-fde-6.2
all
ubuntu•linux-azure-fde-6.8
all
ubuntu•linux-azure-fips
< 5.4.0-1164.170+fips1 | all | < 5.15.0-1114.123+fips1 | < 6.8.0-1059.65+fips1
ubuntu•linux-azure-nvidia
all
ubuntu•linux-azure-nvidia-6.14
all
ubuntu•linux-bluefield
all | < 5.4.0-1119.126 | < 5.15.0-1093.95 | all
ubuntu•linux-fips
< 5.4.0-1134.144 | all | < 5.15.0-181.191+fips1 | < 6.8.0-124.124+fips1
ubuntu•linux-gcp
all | all | all | all | all | all | < 5.4.0-1163.172 | < 5.15.0-1109.118 | < 6.8.0-1060.63 | < 6.17.0-1018.19 | < 7.0.0-1005.5
ubuntu•linux-gcp-4.15
all
ubuntu•linux-gcp-5.11
all
ubuntu•linux-gcp-5.13
all

Showing first 50 affected entries in server-rendered view.