HOMEVULNERABILITIESCVE-2026-43284
HIGHCISA KEVIN THE WILD

CVE-2026-43284

Published: May 8, 2026· Updated: May 14, 2026

8.8
CVSS v3.1
EPSS:0.01%probability of exploitation in 30 daysPercentile:0.7th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

xfrm: esp: avoid in-place decrypt on shared skb frags

MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP

marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),

so later paths that may modify packet data can first make a private

copy. The IPv4/IPv6 datagram append paths did not set this flag when

splicing pages into UDP skbs.

That leaves an ESP-in-UDP packet made from shared pipe pages looking

like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW

fast path for uncloned skbs without a frag_list and decrypts in place

over data that is not owned privately by the skb.

Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching

TCP. Also make ESP input fall back to skb_cow_data() when the flag is

present, so ESP does not decrypt externally backed frags in place.

Private nonlinear skb frags still use the existing fast path.

This intentionally does not change ESP output. In esp_output_head(),

the path that appends the ESP trailer to existing skb tailroom without

calling skb_cow_data() is not reachable for nonlinear skbs:

skb_tailroom() returns zero when skb->data_len is nonzero, while ESP

tailen is positive. Thus ESP output will either use the separate

destination-frag path or fall back to skb_cow_data().

NVD Source

Technical Analysis

CVE-2026-43284 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 8.8.

The vulnerability has a "Changed" scope, meaning successful exploitation can impact components beyond the vulnerable component itself — such as the host operating system or adjacent services.

CISA has added CVE-2026-43284 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeChanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 1 total CPE entries

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

News & Research Mentioning CVE-2026-43284

Impact of Linux Kernel vulnerabilities on B&R products
CISA Alerts· Jun 23, 2026

View CSAF Summary B&R is aware of publicly reported vulnerabilities affecting the Linux kernel versions shipped with the products listed as affected in the advisory. Successful local exploitation of these vulnerabilities could allow an attacker to escalate privileges on the affected system. Public proof-of-concept exploits are available for the vulnerabilities described herein. At the time of publication of this advisory, B&R had no evidence of active exploitation targeting B&R products. The following versions of Impact of Linux Kernel vulnerabilities on B&R products are affected: Linux for B&R /etc/modprobe.d/disable-algif.conf rmmod algif_aead 2>/dev/null || true Impact assessment: Disabling the algif_aead module removes the AEAD socket interface f [xlite_meta score:73 src:CISA Alerts xlite_fp:968f2d14c6ec3bfdadee07587780c6e8463e784ec0d508add5363b4e4f849d1f]

New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks
SecurityWeek· May 11, 2026

Also called Copy Fail 2 and tracked as CVE-2026-43284 and CVE-2026-43500, the exploit was disclosed before a patch was released. The post New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks appeared first on SecurityWeek. [xlite_meta score:53 src:SecurityWeek xlite_fp:118e916be01802bcca136a576e89474e9773fbe402418644bc1826bf9c1c5b2e]

All References (15)

Quick Facts

CVE IDCVE-2026-43284
CVSS Score8.8 / 10
SeverityHIGH
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
EPSS (30d)0.01%
Affected1 vendor
PublishedMay 8, 2026

Known Threat Actors

wa
financial
pear
financial
core
financial
frag
financial

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43284 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.